New variable AJXP_SANITIZE_FILENAME, to be less restrictive on the al…

…lowed characters than AJXP_SANITIZE_HTML_STRICT. Particularly, allow commas in filename.

core/src/core/classes/class.AJXP_Utils.php

@@ -24,6 +24,7 @@
 define('AJXP_SANITIZE_HTML_STRICT', 2);
 define('AJXP_SANITIZE_ALPHANUM', 3);
 define('AJXP_SANITIZE_EMAILCHARS', 4);
+define('AJXP_SANITIZE_FILENAME', 5);
 
 // THESE ARE DEFINED IN bootstrap_context.php
 // REPEAT HERE FOR BACKWARD COMPATIBILITY.
@@ -133,14 +134,19 @@ public static function safeBasename($path)
      */
     public static function sanitize($s, $level = AJXP_SANITIZE_HTML, $expand = 'script|style|noframes|select|option')
     {
-        /**/ //prep the string
-        $s = ' ' . $s;
         if ($level == AJXP_SANITIZE_ALPHANUM) {
             return preg_replace("/[^a-zA-Z0-9_\-\.]/", "", $s);
         } else if ($level == AJXP_SANITIZE_EMAILCHARS) {
             return preg_replace("/[^a-zA-Z0-9_\-\.@!%\+=|~\?]/", "", $s);
+        } else if ($level == AJXP_SANITIZE_FILENAME) {
+            $s = str_replace(chr(0), "", $s);
+            $s = preg_replace("/[\"\/\|\?\\\]/", "", $s);
+            return $s;
         }
 
+        /**/ //prep the string
+        $s = ' ' . $s;
+
         //begin removal
         /**/ //remove comment blocks
         while (stripos($s, '<!--') > 0) {

core/src/plugins/access.fs/class.fsAccessDriver.php

@@ -512,7 +512,7 @@ public function switchAction($action, $httpVars, $fileVars)
             case "mkdir";
 
                 $messtmp="";
-                $dirname=AJXP_Utils::decodeSecureMagic($httpVars["dirname"], AJXP_SANITIZE_HTML_STRICT);
+                $dirname=AJXP_Utils::decodeSecureMagic($httpVars["dirname"], AJXP_SANITIZE_FILENAME);
                 $dirname = substr($dirname, 0, ConfService::getCoreConf("NODENAME_MAX_LENGTH"));
                 $this->filterUserSelectionToHidden(array($dirname));
                 AJXP_Controller::applyHook("node.before_create", array(new AJXP_Node($dir."/".$dirname), -2));
@@ -538,7 +538,7 @@ public function switchAction($action, $httpVars, $fileVars)
             case "mkfile";
 
                 $messtmp="";
-                $filename=AJXP_Utils::decodeSecureMagic($httpVars["filename"], AJXP_SANITIZE_HTML_STRICT);
+                $filename=AJXP_Utils::decodeSecureMagic($httpVars["filename"], AJXP_SANITIZE_FILENAME);
                 $filename = substr($filename, 0, ConfService::getCoreConf("NODENAME_MAX_LENGTH"));
                 $this->filterUserSelectionToHidden(array($filename));
                 $content = "";
@@ -614,9 +614,9 @@ public function switchAction($action, $httpVars, $fileVars)
                     } catch (Exception $e) {
                         return array("ERROR" => array("CODE" => 411, "MESSAGE" => "Forbidden"));
                     }
-                    $userfile_name=AJXP_Utils::sanitize(SystemTextEncoding::fromPostedFileName($userfile_name), AJXP_SANITIZE_HTML_STRICT);
+                    $userfile_name=AJXP_Utils::sanitize(SystemTextEncoding::fromPostedFileName($userfile_name), AJXP_SANITIZE_FILENAME);
                     if (isSet($httpVars["urlencoded_filename"])) {
-                        $userfile_name = AJXP_Utils::sanitize(SystemTextEncoding::fromUTF8(urldecode($httpVars["urlencoded_filename"])), AJXP_SANITIZE_HTML_STRICT);
+                        $userfile_name = AJXP_Utils::sanitize(SystemTextEncoding::fromUTF8(urldecode($httpVars["urlencoded_filename"])), AJXP_SANITIZE_FILENAME);
                     }
                     $this->logDebug("User filename ".$userfile_name);
                     $userfile_name = substr($userfile_name, 0, ConfService::getCoreConf("NODENAME_MAX_LENGTH"));
@@ -667,7 +667,7 @@ public function switchAction($action, $httpVars, $fileVars)
                         }
                     }
                     if (isSet($httpVars["appendto_urlencoded_part"])) {
-                        $appendTo = AJXP_Utils::sanitize(SystemTextEncoding::fromUTF8(urldecode($httpVars["appendto_urlencoded_part"])), AJXP_SANITIZE_HTML_STRICT);
+                        $appendTo = AJXP_Utils::sanitize(SystemTextEncoding::fromUTF8(urldecode($httpVars["appendto_urlencoded_part"])), AJXP_SANITIZE_FILENAME);
                         if (file_exists($destination ."/" . $appendTo)) {
                             $this->logDebug("Should copy stream from $userfile_name to $appendTo");
                             $partO = fopen($destination."/".$userfile_name, "r");
@@ -1458,7 +1458,7 @@ public function rename($filePath, $filename_new, $dest = null)
     {
         $nom_fic=basename($filePath);
         $mess = ConfService::getMessages();
-        $filename_new=AJXP_Utils::sanitize(SystemTextEncoding::magicDequote($filename_new), AJXP_SANITIZE_HTML_STRICT);
+        $filename_new=AJXP_Utils::sanitize(SystemTextEncoding::magicDequote($filename_new), AJXP_SANITIZE_FILENAME);
         $filename_new = substr($filename_new, 0, ConfService::getCoreConf("NODENAME_MAX_LENGTH"));
         $old=$this->urlBase."/$filePath";
         if (!$this->isWriteable($old)) {

core/src/plugins/uploader.jumploader/class.JumploaderProcessor.php

@@ -277,7 +277,7 @@ public function postProcess($action, $httpVars, $postProcessData)
                 // Create the folder tree as necessary
                 foreach ($subs as $key => $spath) {
                     $messtmp="";
-                    $dirname=AJXP_Utils::decodeSecureMagic($spath, AJXP_SANITIZE_HTML_STRICT);
+                    $dirname=AJXP_Utils::decodeSecureMagic($spath, AJXP_SANITIZE_FILENAME);
                     $dirname = substr($dirname, 0, ConfService::getCoreConf("NODENAME_MAX_LENGTH"));
                     //$this->filterUserSelectionToHidden(array($dirname));
                     if (AJXP_Utils::isHidden($dirname)) {