diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index e81c99897..370a789a9 100755 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -5329,165 +5329,177 @@ class G return $from; } - /** - * Verify the InputDoc extension, cheking the file name extension (.pdf, .ppt) and the file content. - * - * - * - */ - public function verifyInputDocExtension($InpDocAllowedFiles, $filesName, $filesTmpName){ - $allowedTypes = explode(", ", $InpDocAllowedFiles); - $flag = 0; - - if (!extension_loaded('fileinfo')) { - $dtype = explode(".", $filesName); - - foreach ($allowedTypes as $types => $val) { - if((preg_match('/^\*\.?[a-z]{2,8}$/', $val)) || ($val == '*.*')){ - $allowedDocTypes = substr($val, 2); - if(($dtype[count($dtype) -1]) != $allowedDocTypes){ - $flag = 1; - } else { - return true; - break; - } - } else { - $message = G::LoadTranslation('ID_UPLOAD_ERR_WRONG_ALLOWED_EXTENSION_FORMAT' ); - G::SendMessageText( $message, "ERROR" ); - - $backUrlObj = explode( "sys" . SYS_SYS, $_SERVER['HTTP_REFERER'] ); - G::header( "location: " . "/sys" . SYS_SYS . $backUrlObj[1] ); - die(); - } - } - } else { - $finfo = new finfo(FILEINFO_MIME_TYPE); - $finfo_ = $finfo->file($filesTmpName); - $docType = explode("/", $finfo_); - - foreach ($allowedTypes as $types => $val) { - if((preg_match('/^\*\.?[a-z]{2,8}$/', $val)) || ($val == '*.*')){ - $allowedDocTypes = substr($val, 2); - - switch($allowedDocTypes){ - case '*': - return true; - break; - case 'xls': - if($docType[1] != 'vnd.ms-excel'){ - $flag = 1; - } else { - return true; - } - break; - case 'doc': - if($docType[1] != 'msword'){ - $flag = 1; - } else { - return true; - } - break; - case 'ppt': - if($docType[1] != 'vnd.ms-office'){ - $flag = 1; - } else { - return true; - } - break; - case 'docx': - case 'pptx': - case 'xlsx': - if($docType[1] != 'zip'){ - $flag = 1; - } else { - return true; - } - break; - case 'exe': - case 'wmv': - if($docType[1] != 'octet-stream'){ - $flag = 1; - } else { - return true; - } - break; - case 'jpg': - if ($docType[1] != 'jpeg'){ - $flag = 1; - } else { - return true; - } - break; - case 'mp3': - if ($docType[1] != 'mpeg'){ - $flag = 1; - } else { - return true; - } - break; - case 'rar': - if ($docType[1] != 'x-rar'){ - $flag = 1; - } else { - return true; - } - break; - case 'txt': - case 'pm': - if ($docType[1] != 'plain'){ - $flag = 1; - } else { - return true; - } - break; - case 'htm': - case 'html': - if ($docType[1] != 'html'){ - $flag = 1; - } else { - return true; - } - break; - case 'po': - if ($docType[1] != 'x-po'){ - $flag = 1; - } else { - return true; - } - break; - case 'pdf': - case 'png': - case 'jpeg': - case 'gif': - case 'zip': - case 'mp4': - if ($docType[1] != $allowedDocTypes){ - $flag = 1; - } else { - return true; - } - break; - default: - $dtype = explode(".", $filesName); - if(($dtype[count($dtype) - 1]) != $allowedDocTypes){ - $flag = 1; - } else { - return true; - } - } - } else { - $message = G::LoadTranslation('ID_UPLOAD_ERR_WRONG_ALLOWED_EXTENSION_FORMAT' ); - G::SendMessageText( $message, "ERROR" ); - - $backUrlObj = explode( "sys" . SYS_SYS, $_SERVER['HTTP_REFERER'] ); - G::header( "location: " . "/sys" . SYS_SYS . $backUrlObj[1] ); - die(); - } - } - } + /** + * Verify the InputDoc extension, cheking the file name extension (.pdf, .ppt) and the file content. + * + * + * + */ + public function verifyInputDocExtension($InpDocAllowedFiles, $filesName, $filesTmpName){ + $allowedTypes = explode(", ", $InpDocAllowedFiles); + $flag = 0; + $res = new stdclass(); + + if (!extension_loaded('fileinfo')) { + $dtype = explode(".", $filesName); + + foreach ($allowedTypes as $types => $val) { + if((preg_match('/^\*\.?[a-z]{2,8}$/', $val)) || ($val == '*.*')){ + $allowedDocTypes = substr($val, 2); + if(($dtype[count($dtype) -1]) != $allowedDocTypes){ + $flag = 1; + } else { + $res->status = true; + return $res; + break; + } + } else { + $res->status = false; + $res->message = G::LoadTranslation('ID_UPLOAD_ERR_WRONG_ALLOWED_EXTENSION_FORMAT' ); + return $res; + } + } + } else { + $finfo = new finfo(FILEINFO_MIME_TYPE); + $finfo_ = $finfo->file($filesTmpName); + $docType = explode("/", $finfo_); + + foreach ($allowedTypes as $types => $val) { + if((preg_match('/^\*\.?[a-z]{2,8}$/', $val)) || ($val == '*.*')){ + $allowedDocTypes = substr($val, 2); + + switch($allowedDocTypes){ + case '*': + $res->status = true; + return $res; + break; + case 'xls': + if($docType[1] != 'vnd.ms-excel'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'doc': + if($docType[1] != 'msword'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'ppt': + if($docType[1] != 'vnd.ms-office'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'docx': + case 'pptx': + case 'xlsx': + if($docType[1] != 'zip'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'exe': + case 'wmv': + if($docType[1] != 'octet-stream'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'jpg': + if ($docType[1] != 'jpeg'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'mp3': + if ($docType[1] != 'mpeg'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'rar': + if ($docType[1] != 'x-rar'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'txt': + case 'pm': + if ($docType[1] != 'plain'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'htm': + case 'html': + if ($docType[1] != 'html'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'po': + if ($docType[1] != 'x-po'){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + case 'pdf': + case 'png': + case 'jpeg': + case 'gif': + case 'zip': + case 'mp4': + if ($docType[1] != $allowedDocTypes){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + break; + default: + $dtype = explode(".", $filesName); + if(($dtype[count($dtype) - 1]) != $allowedDocTypes){ + $flag = 1; + } else { + $res->status = true; + return $res; + } + } + } else { + $res->status = false; + $res->message = G::LoadTranslation('ID_UPLOAD_ERR_WRONG_ALLOWED_EXTENSION_FORMAT' ); + return $res; + } + } + } if( $flag == 1){ - return false; - } + $res->status = false; + $res->message = G::LoadTranslation('ID_UPLOAD_ERR_NOT_ALLOWED_EXTENSION' ); + return $res; + } } } diff --git a/workflow/engine/methods/cases/cases_SaveData.php b/workflow/engine/methods/cases/cases_SaveData.php index de985d291..6838959f4 100644 --- a/workflow/engine/methods/cases/cases_SaveData.php +++ b/workflow/engine/methods/cases/cases_SaveData.php @@ -280,13 +280,14 @@ try { $oFolder = new AppFolder(); //***Validating the file allowed extensions*** - if(!G::verifyInputDocExtension($aID['INP_DOC_TYPE_FILE'], $_FILES["form"]["name"]["input"], $_FILES["form"]["tmp_name"]["input"])){ - $message = G::LoadTranslation( 'ID_UPLOAD_ERR_NOT_ALLOWED_EXTENSION' ); - G::SendMessageText( $message, "ERROR" ); - $backUrlObj = explode( "sys" . SYS_SYS, $_SERVER['HTTP_REFERER'] ); - G::header( "location: " . "/sys" . SYS_SYS . $backUrlObj[1] ); - die(); - } + $res = G::verifyInputDocExtension($aID['INP_DOC_TYPE_FILE'], $_FILES["form"]["name"]["input"], $_FILES["form"]["tmp_name"]["input"]); + if($res->status == 0){ + $message = $res->message; + G::SendMessageText( $message, "ERROR" ); + $backUrlObj = explode( "sys" . SYS_SYS, $_SERVER['HTTP_REFERER'] ); + G::header( "location: " . "/sys" . SYS_SYS . $backUrlObj[1] ); + die(); + } $aFields = array ("APP_UID" => $_SESSION["APPLICATION"],"DEL_INDEX" => $_SESSION["INDEX"],"USR_UID" => $_SESSION["USER_LOGGED"],"DOC_UID" => $indocUid,"APP_DOC_TYPE" => "INPUT","APP_DOC_CREATE_DATE" => date( "Y-m-d H:i:s" ),"APP_DOC_COMMENT" => "","APP_DOC_TITLE" => "","APP_DOC_FILENAME" => $arrayFileName[$i],"FOLDER_UID" => $oFolder->createFromPath( $aID["INP_DOC_DESTINATION_PATH"] ),"APP_DOC_TAGS" => $oFolder->parseTags( $aID["INP_DOC_TAGS"] ),"APP_DOC_FIELDNAME" => $fieldName); } else { diff --git a/workflow/engine/methods/cases/cases_SaveDocument.php b/workflow/engine/methods/cases/cases_SaveDocument.php index 5cbb5c33b..22c5014b3 100755 --- a/workflow/engine/methods/cases/cases_SaveDocument.php +++ b/workflow/engine/methods/cases/cases_SaveDocument.php @@ -96,8 +96,9 @@ if ($_SESSION["TRIGGER_DEBUG"]["NUM_TRIGGERS"] > 0) { //***Validating the file allowed extensions*** $oInputDocument = new InputDocument(); $InpDocData = $oInputDocument->load( $inputDocumentUid ); -if(!G::verifyInputDocExtension($InpDocData['INP_DOC_TYPE_FILE'], $_FILES["form"]["name"]["APP_DOC_FILENAME"], $_FILES["form"]["tmp_name"]["APP_DOC_FILENAME"])){ - $message = G::LoadTranslation( 'ID_UPLOAD_ERR_NOT_ALLOWED_EXTENSION' ); +$res = G::verifyInputDocExtension($InpDocData['INP_DOC_TYPE_FILE'], $_FILES["form"]["name"]["APP_DOC_FILENAME"], $_FILES["form"]["tmp_name"]["APP_DOC_FILENAME"]); +if($res->status == 0){ + $message = $res->message; G::SendMessageText( $message, "ERROR" ); $backUrlObj = explode( "sys" . SYS_SYS, $_SERVER['HTTP_REFERER'] ); G::header( "location: " . "/sys" . SYS_SYS . $backUrlObj[1] );