Sanitize filename on SHP import

Signed-off-by: Michal Čihař <michal@cihar.com>

libraries/plugins/import/ImportShp.class.php

@@ -98,21 +98,23 @@ public function doImport()
                     // Extract the .dbf file and point to it.
                     $extracted =  PMA_zipExtract(
                         $import_file,
-                        realpath($GLOBALS['cfg']['TempDir']),
-                        array($dbf_file_name)
+                        $dbf_file_name
                     );
-                    if ($extracted) {
+                    if ($extracted !== false) {
                         $dbf_file_path = realpath($GLOBALS['cfg']['TempDir'])
-                            . (PMA_IS_WINDOWS ? '\\' : '/') . $dbf_file_name;
-                        $temp_dbf_file = true;
-                        // Replace the .dbf with .*, as required
-                        // by the bsShapeFiles library.
-                        $file_name = /*overload*/mb_substr(
-                            $dbf_file_path,
-                            0,
-                            /*overload*/mb_strlen($dbf_file_path) - 4
-                        ) . '.*';
-                        $shp->FileName = $file_name;
+                            . (PMA_IS_WINDOWS ? '\\' : '/') . PMA_sanitizeFilename($dbf_file_name, true);
+                        $handle = fopen($dbf_file_path, 'wb');
+                        if ($handle !== false) {
+                            fwrite($handle, $extracted);
+                            fclose($handle);
+                            $temp_dbf_file = true;
+                            // Replace the .dbf with .*, as required
+                            // by the bsShapeFiles library.
+                            $file_name = substr(
+                                $dbf_file_path, 0, strlen($dbf_file_path) - 4
+                            ) . '.*';
+                            $shp->FileName = $file_name;
+                        }
                     }
                 }
             } elseif (! empty($local_import_file)

libraries/zip_extension.lib.php

@@ -144,19 +144,18 @@ function PMA_getNoOfFilesInZip($file)
 /**
  * Extracts a set of files from the given zip archive to a given destinations.
  *
- * @param string $zip_path    path to the zip archive
- * @param string $destination destination to extract files
- * @param array  $entries     files in archive that should be extracted
+ * @param string $zip_path path to the zip archive
+ * @param string $entry    file in the archive that should be extracted
  *
- * @return bool true on success, false otherwise
+ * @return string|bool data on sucess, false otherwise
  */
-function PMA_zipExtract($zip_path, $destination, $entries)
+function PMA_zipExtract($zip_path, $entry)
 {
     $zip = new ZipArchive;
     if ($zip->open($zip_path) === true) {
-        $zip->extractTo($destination, $entries);
+        $result = $zip->getFromName($entry);
         $zip->close();
-        return true;
+        return $result;
     }
     return false;
 }

test/libraries/PMA_zip_extension_test.php

@@ -119,10 +119,16 @@ public function testGetNoOfFilesInZip()
     public function testZipExtract()
     {
         $this->assertEquals(
+            false,
             PMA_zipExtract(
-                './test/test_data/test.zip', './test/test_data/', 'wrongName'
-            ),
-            true
+                './test/test_data/test.zip', 'wrongName'
+            )
+        );
+        $this->assertEquals(
+            "TEST FILE\n",
+            PMA_zipExtract(
+                './test/test_data/test.zip', 'test.file'
+            )
         );
     }