diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php index cd3fefdc4..fe1915d84 100755 --- a/workflow/engine/methods/processes/processes_Ajax.php +++ b/workflow/engine/methods/processes/processes_Ajax.php @@ -498,30 +498,54 @@ try { case 'saveFile': global $G_PUBLISH; $G_PUBLISH = new Publisher(); - $sDir = ""; - if (isset($_REQUEST['MAIN_DIRECTORY'])) { - $sDir = $_REQUEST['MAIN_DIRECTORY']; + global $RBAC; + if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($_REQUEST['pro_uid'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; + } + + $sDir = ""; + if (isset($_REQUEST['MAIN_DIRECTORY'])) { + $sDir = $_REQUEST['MAIN_DIRECTORY']; + } + switch ($sDir) { + case 'mailTemplates': + $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; + break; + case 'public': + $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; + break; + default: + $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; + break; + } + $fp = fopen($sDirectory, 'w'); + $content = stripslashes($_REQUEST['fcontent']); + $content = str_replace("@amp@", "&", $content); + $content = base64_decode($content); + $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', + 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', + 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', + 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', + 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', + 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', + 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', + 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', + 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', + 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); + $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); + fwrite($fp, $content); + fclose($fp); + echo 'saved: ' . $sDirectory; } - switch ($sDir) { - case 'mailTemplates': - $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; - break; - case 'public': - $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; - break; - default: - $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; - break; - } - - $fp = fopen($sDirectory, 'w'); - $content = stripslashes($_REQUEST['fcontent']); - $content = str_replace("@amp@", "&", $content); - $content = base64_decode($content); - fwrite($fp, $content); - fclose($fp); - echo 'saved: ' . $sDirectory; + break; case 'events': $oProcessMap->eventsList($oData->pro_uid, $oData->type); diff --git a/workflow/engine/methods/processes/processes_UploadFiles.php b/workflow/engine/methods/processes/processes_UploadFiles.php index 4d6cca241..e40f0981b 100755 --- a/workflow/engine/methods/processes/processes_UploadFiles.php +++ b/workflow/engine/methods/processes/processes_UploadFiles.php @@ -1,19 +1,44 @@ userCanAccess('PM_FACTORY') == 1) { + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($_REQUEST['pro_uid'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; } + switch ($_POST['form']['MAIN_DIRECTORY']) { + case 'mailTemplates': + $sDirectory = PATH_DATA_MAILTEMPLATES . $_POST['form']['PRO_UID'] . PATH_SEP . ($_POST['form']['CURRENT_DIRECTORY'] != '' ? $_POST['form']['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + case 'public': + $sDirectory = PATH_DATA_PUBLIC . $_POST['form']['PRO_UID'] . PATH_SEP . ($_POST['form']['CURRENT_DIRECTORY'] != '' ? $_POST['form']['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + default: + die(); + break; + } + for ($i = 1; $i <= 5; $i ++) { + if ($_FILES['form']['tmp_name']['FILENAME' . (string) $i] != '') { + G::uploadFile( $_FILES['form']['tmp_name']['FILENAME' . (string) $i], $sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] ); + $fp = fopen($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] , 'rw'); + $content = fread($fp, filesize($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] )); + $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', + 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', + 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', + 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', + 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', + 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', + 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', + 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', + 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', + 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); + $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); + fwrite( $fp, $content ); + fclose($fp); + } + } } die( '' ); diff --git a/workflow/engine/methods/processes/processes_doUpload.php b/workflow/engine/methods/processes/processes_doUpload.php index 152832ad9..7653c726f 100755 --- a/workflow/engine/methods/processes/processes_doUpload.php +++ b/workflow/engine/methods/processes/processes_doUpload.php @@ -1,29 +1,57 @@ userCanAccess('PM_FACTORY') == 1) { -if (isset( $_SESSION['processes_upload'] )) { - $form = $_SESSION['processes_upload']; - switch ($form['MAIN_DIRECTORY']) { - case 'mailTemplates': - $sDirectory = PATH_DATA_MAILTEMPLATES . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); - break; - case 'public': - $sDirectory = PATH_DATA_PUBLIC . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); - break; - default: - die(); - break; + if (isset( $_SESSION['processes_upload'] )) { + $form = $_SESSION['processes_upload']; + switch ($form['MAIN_DIRECTORY']) { + case 'mailTemplates': + $sDirectory = PATH_DATA_MAILTEMPLATES . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + case 'public': + $sDirectory = PATH_DATA_PUBLIC . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + default: + die(); + break; + } + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($form['PRO_UID'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; + } + } -} -if ($_FILES['form']['error'] == "0") { - G::uploadFile( $_FILES['form']['tmp_name'], $sDirectory, $_FILES['form']['name'] ); - $msg = "Uploaded (" . (round( (filesize( $sDirectory . $_FILES['form']['name'] ) / 1024) * 10 ) / 10) . " kb)"; - $result = 1; - //echo $sDirectory.$_FILES['form']['name']; -} else { - $msg = "Failed"; - $result = 0; -} - -echo "{'result': $result, 'msg':'$msg'}"; \ No newline at end of file + if ($_FILES['form']['error'] == "0") { + G::uploadFile( $_FILES['form']['tmp_name'], $sDirectory, $_FILES['form']['name'] ); + $fp = fopen($sDirectory . $_FILES['form']['name'], 'rw'); + $content = fread($fp, filesize($sDirectory . $_FILES['form']['name'])); + $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', + 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', + 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', + 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', + 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', + 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', + 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', + 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', + 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', + 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); + $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); + fwrite( $fp, $content ); + fclose($fp); + $msg = "Uploaded (" . (round( (filesize( $sDirectory . $_FILES['form']['name'] ) / 1024) * 10 ) / 10) . " kb)"; + $result = 1; + //echo $sDirectory.$_FILES['form']['name']; + } else { + $msg = "Failed"; + $result = 0; + } + + echo "{'result': $result, 'msg':'$msg'}"; +} \ No newline at end of file