From 901c56b6a4f4973b6faf3765f1ddca44626f4f32 Mon Sep 17 00:00:00 2001
From: Alex ORLUC <alex.orluc@maarch.org>
Date: Mon, 29 Apr 2019 17:46:23 +0200
Subject: [PATCH] FIX #9390 TIME 5 add check upload file client side
---
.../indexing_searching/choose_file.php | 2 +-
.../indexing_searching/file_iframe.php | 10 ++--
apps/maarch_entreprise/js/functions.js | 31 ++++++++++
modules/sendmail/batch/process_emails.php | 25 +++++---
rest/index.php | 2 +
.../resource/controllers/StoreController.php | 58 +++++++++++++++++++
src/core/lang/lang-en.php | 4 ++
src/core/lang/lang-fr.php | 4 ++
src/core/lang/lang-nl.php | 6 +-
9 files changed, 128 insertions(+), 14 deletions(-)
diff --git a/apps/maarch_entreprise/indexing_searching/choose_file.php b/apps/maarch_entreprise/indexing_searching/choose_file.php
index f4855c03249..050629396c5 100755
--- a/apps/maarch_entreprise/indexing_searching/choose_file.php
+++ b/apps/maarch_entreprise/indexing_searching/choose_file.php
@@ -178,7 +178,7 @@ $_SESSION['upfile']['fileNamePdfOnTmp'] = '';
<?php
} ?>
- <input type="file" name="file" id="file" onchange="$j('#with_file')[0].value='false';this.form.method = 'post';this.form.submit();"
+ <input type="file" name="file" id="file" onchange="uploadFiles();"
value="<?php $_REQUEST['with_file'] = 'false';
if (isset($_SESSION['file_path'])) {
echo $_SESSION['file_path'];
diff --git a/apps/maarch_entreprise/indexing_searching/file_iframe.php b/apps/maarch_entreprise/indexing_searching/file_iframe.php
index cd1937b8c26..ceb9c6608bd 100755
--- a/apps/maarch_entreprise/indexing_searching/file_iframe.php
+++ b/apps/maarch_entreprise/indexing_searching/file_iframe.php
@@ -94,7 +94,7 @@ if (isset($_GET['num'])) {
readfile($loc);
exit();
} else {
- echo '<br/><br/><div class="error">'._PROBLEM_LOADING_FILE_TMP_DIR.'.</div>';
+ echo '<br/><br/><div class="error" style="display:block">'._PROBLEM_LOADING_FILE_TMP_DIR.'.</div>';
exit();
}
$extension = explode('.', $_SESSION['upfile'][$num]['name']);
@@ -139,7 +139,7 @@ if (isset($_GET['num'])) {
<?php
$ext = strtolower($_SESSION['upfile'][$num]['format']);
if (file_exists($_SESSION['upfile'][$num]['local_path'])) {
- echo '<br/><br/><div class="error">'
+ echo '<br/><br/><div class="error" style="display:block">'
._FILE_LOADED_BUT_NOT_VISIBLE._ONLY_FILETYPES_AUTHORISED
.' <br/><ul>';
for ($i = 0; $i < count($extList); ++$i) {
@@ -147,7 +147,7 @@ if (isset($_GET['num'])) {
}
echo '</ul></div>';
} else {
- echo '<br/><br/><div class="error">'
+ echo '<br/><br/><div class="error" style="display:block">'
._PROBLEM_LOADING_FILE_TMP_DIR.'.</div>';
} ?>
@@ -280,7 +280,7 @@ if (isset($_GET['num'])) {
.' <br/><ul>';
echo '</ul></div>';
} else {
- echo '<br/><br/><div class="error">'
+ echo '<br/><br/><div class="error" style="display:block">'
._PROBLEM_LOADING_FILE_TMP_DIR.'.</div>';
} ?>
@@ -297,7 +297,7 @@ if (isset($_GET['num'])) {
&& $_SESSION['upfile']['error'] == 1
) {
$filesize = $func->return_bytes(ini_get('upload_max_filesize'));
- echo '<br/><br/><div class="error">'._MAX_SIZE_UPLOAD_REACHED
+ echo '<br/><br/><div class="error" style="display:block">'._MAX_SIZE_UPLOAD_REACHED
.' ('.round($filesize / 1024, 2).'Ko Max)</div>';
} else {
echo '<br/><br/><div class="advertissement">'.$_SESSION['error']
diff --git a/apps/maarch_entreprise/js/functions.js b/apps/maarch_entreprise/js/functions.js
index c3068089d2a..87b6815f4d4 100755
--- a/apps/maarch_entreprise/js/functions.js
+++ b/apps/maarch_entreprise/js/functions.js
@@ -3977,4 +3977,35 @@ function setSendAttachment(id, isVersion) {
alert("Une erreur s'est produite : " + err.responseJSON.exception[0].message);
}
});
+}
+
+function uploadFiles () {
+
+ var fileInfo = $j("#file")[0]["files"][0];
+
+ var extension = "";
+
+ // set extension according to filename
+ if (fileInfo.name.split('.').length > 1) {
+ extension = fileInfo.name.split('.').pop();
+ }
+
+ $j.ajax({
+ url: '../../rest/resources/checkFileUpload',
+ type: 'POST',
+ dataType: "json",
+ data: {
+ extension : extension,
+ size : fileInfo.size,
+ type : fileInfo.type,
+ },
+ success: function (answer) {
+ $j('#with_file')[0].value='false';
+ $j("#select_file_form").attr('method','post');
+ $j("#select_file_form").submit();
+ },
+ error: function (err) {
+ alert(err.responseJSON.errors);
+ }
+ });
}
\ No newline at end of file
diff --git a/modules/sendmail/batch/process_emails.php b/modules/sendmail/batch/process_emails.php
index b86016ccb0d..05bca7f0381 100755
--- a/modules/sendmail/batch/process_emails.php
+++ b/modules/sendmail/batch/process_emails.php
@@ -75,16 +75,21 @@ while ($state <> 'END') {
if (!empty($mailfrom_generic)) {
$GLOBALS['logger']->write('process e-mail '.($currentEmail+1)."/".$totalEmailsToProcess.' (FROM => '.$userInfo['firstname'].' '.$userInfo['lastname'].' <'.$mailfrom_generic.'>'.', TO => '.$email->to_list.', SUBJECT => '.$email->email_object.', CC =>'.$email->cc_list.', CCI => '.$email->cci_list.') ...', 'INFO');
- $GLOBALS['mailer']->setFrom($userInfo['firstname'].' '
- . $userInfo['lastname'].' <'.$mailfrom_generic.'> ');
+
+ $setFrom = $userInfo['firstname'].' ' . $userInfo['lastname'].' <'.$mailfrom_generic.'> ';
+ $setFrom = functions::normalize($setFrom);
+ $GLOBALS['mailer']->setFrom($setFrom);
+
$emailFrom = $mailfrom_generic;
$email->email_body = 'Courriel envoyé par : ' . $userInfo['firstname'].' '
. $userInfo['lastname'] . ' ' . $email->sender_email . ' ' . '.<br/><br/>' . $email->email_body;
} else {
$GLOBALS['logger']->write('process e-mail '.($currentEmail+1)."/".$totalEmailsToProcess.' (FROM => '.$userInfo['firstname'].' '.$userInfo['lastname'].' <'.$email->sender_email.'>'.', TO => '.$email->to_list.', SUBJECT => '.$email->email_object.', CC =>'.$email->cc_list.', CCI => '.$email->cci_list.') ...', 'INFO');
- $GLOBALS['mailer']->setFrom($userInfo['firstname'].' '
- . $userInfo['lastname'].' <'.$email->sender_email.'> ');
+ $setFrom = $userInfo['firstname'].' ' . $userInfo['lastname'].' <'.$email->sender_email.'> ';
+ $setFrom = functions::normalize($setFrom);
+ $GLOBALS['mailer']->setFrom($setFrom);
+
$emailFrom = $email->sender_email;
}
$GLOBALS['mailer']->setReplyTo($email->sender_email);
@@ -92,15 +97,21 @@ while ($state <> 'END') {
if (!empty($mailfrom_generic)) {
$mailsEntities = $sendmail_tools->getAttachedEntitiesMails();
$entityShortLabel = substr($mailsEntities[$email->sender_email], 0, strrpos($mailsEntities[$email->sender_email], "("));
-
- $GLOBALS['mailer']->setFrom($entityShortLabel . ' <' . $mailfrom_generic. '> ');
+
+ $setFrom = $entityShortLabel . ' <' . $mailfrom_generic. '> ';
+ $setFrom = functions::normalize($setFrom);
+ $GLOBALS['mailer']->setFrom($setFrom);
+
$emailFrom = $mailfrom_generic;
$email->email_body = 'Courriel envoyé par : ' . $entityShortLabel . ' ' . $sendmail_tools->explodeSenderEmail($email->sender_email) . ' ' . '.<br/><br/>' . $email->email_body;
} else {
$mailsEntities = $sendmail_tools->getAttachedEntitiesMails();
$entityShortLabel = substr($mailsEntities[$email->sender_email], 0, strrpos($mailsEntities[$email->sender_email], "("));
- $GLOBALS['mailer']->setFrom($entityShortLabel . ' <' . $sendmail_tools->explodeSenderEmail($email->sender_email) . '> ');
+ $setFrom = $entityShortLabel . ' <' . $sendmail_tools->explodeSenderEmail($email->sender_email) . '> ';
+ $setFrom = functions::normalize($setFrom);
+ $GLOBALS['mailer']->setFrom($setFrom);
+
$emailFrom = $sendmail_tools->explodeSenderEmail($email->sender_email);
}
$GLOBALS['mailer']->setReplyTo($sendmail_tools->explodeSenderEmail($email->sender_email));
diff --git a/rest/index.php b/rest/index.php
index c2c9fb2b581..f65169963d3 100755
--- a/rest/index.php
+++ b/rest/index.php
@@ -267,6 +267,8 @@ $app->put('/res/externalInfos', \Resource\controllers\ResController::class . ':u
$app->get('/categories', \Resource\controllers\ResController::class . ':getCategories');
$app->get('/natures', \Resource\controllers\ResController::class . ':getNatures');
$app->get('/resources/{resId}/isAllowed', \Resource\controllers\ResController::class . ':isAllowedForCurrentUser');
+$app->post('/resources/checkFileUpload', \Resource\controllers\StoreController::class . ':checkFileUpload');
+
//ResourcesList
$app->get('/resourcesList/users/{userId}/groups/{groupId}/baskets/{basketId}', \Resource\controllers\ResourceListController::class . ':get');
diff --git a/src/app/resource/controllers/StoreController.php b/src/app/resource/controllers/StoreController.php
index feefa8660e9..452553ccd1a 100755
--- a/src/app/resource/controllers/StoreController.php
+++ b/src/app/resource/controllers/StoreController.php
@@ -15,12 +15,15 @@
namespace Resource\controllers;
+use Slim\Http\Request;
+use Slim\Http\Response;
use Attachment\models\AttachmentModel;
use Contact\models\ContactModel;
use Docserver\controllers\DocserverController;
use Resource\models\ChronoModel;
use SrcCore\models\DatabaseModel;
use SrcCore\models\ValidatorModel;
+use Respect\Validation\Validator;
use Entity\models\EntityModel;
use Resource\models\ResModel;
use SrcCore\models\CoreConfigModel;
@@ -28,6 +31,61 @@ use User\models\UserModel;
class StoreController
{
+ public function checkFileUpload(Request $request, Response $response, array $aArgs)
+ {
+ $body = $request->getParsedBody();
+
+ if (!Validator::notEmpty()->validate($body['size'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'filesize is empty']);
+ } else if (!Validator::notEmpty()->validate($body['type'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'no mime type detected']);
+ } else if (!Validator::notEmpty()->validate($body['extension'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'this filename has no extension']);
+ }
+
+ if (!StoreController::isFileAllowed($body)) {
+ return $response->withStatus(400)->withJson(['errors' => _FILE_NOT_ALLOWED_INFO_1.' "'.$body['extension'].'" '._FILE_NOT_ALLOWED_INFO_2.' "'. $body['type']. '" '._FILE_NOT_ALLOWED_INFO_3]);
+ }
+
+ $maxFilesizeMo = ini_get('upload_max_filesize');
+ $maxFilesizeKo = ini_get('upload_max_filesize')*1024;
+
+ if ($body['size']/1024 > $maxFilesizeKo) {
+ return $response->withStatus(400)->withJson(['errors' => _MAX_SIZE_UPLOAD_REACHED.' ('.round($maxFilesizeMo).'Mo Max.)']);
+ }
+ return $response->withJson(['success']);
+ }
+
+ private static function isFileAllowed(array $args)
+ {
+ ValidatorModel::notEmpty($args, ['extension', 'type']);
+ ValidatorModel::stringType($args, ['extension', 'type']);
+ $loadedXml = CoreConfigModel::getXmlLoaded(['path' => 'apps/maarch_entreprise/xml/extensions.xml']);
+ if ($loadedXml) {
+ foreach ($loadedXml->FORMAT as $value) {
+ if (strtolower((string)$value->name) == strtolower($args['extension']) && strtolower((string)$value->mime) == strtolower($args['type'])) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ private static function getAllowedMime()
+ {
+ $loadedXml = CoreConfigModel::getXmlLoaded(['path' => 'apps/maarch_entreprise/xml/extensions.xml']);
+ $mimeList = [];
+
+ if ($loadedXml) {
+ foreach ($loadedXml->FORMAT as $value) {
+ $mimeList[] = (string)$value->mime;
+ }
+ }
+
+ return array_unique($mimeList);
+ }
+
public static function storeResource(array $aArgs)
{
ValidatorModel::notEmpty($aArgs, ['encodedFile', 'format', 'status', 'type_id', 'category_id']);
diff --git a/src/core/lang/lang-en.php b/src/core/lang/lang-en.php
index dbd1924d983..b8ada9a1c00 100755
--- a/src/core/lang/lang-en.php
+++ b/src/core/lang/lang-en.php
@@ -491,3 +491,7 @@ define("_SECONDARY_INFORMATION", "Secondary informations");
define("_DEST_INFORMATION", "Destination informations");
define("_XPARAPH_ACCOUNT_DELETED", "xParaph account deleted");
define("_XPARAPH_ACCOUNT_CREATED", "xParaph account created");
+
+define("_FILE_NOT_ALLOWED_INFO_1", "This extension");
+define("_FILE_NOT_ALLOWED_INFO_2", "with MIME-type");
+define("_FILE_NOT_ALLOWED_INFO_3", "is not allowed");
diff --git a/src/core/lang/lang-fr.php b/src/core/lang/lang-fr.php
index 9f1eb69d1df..c541012b1da 100755
--- a/src/core/lang/lang-fr.php
+++ b/src/core/lang/lang-fr.php
@@ -491,3 +491,7 @@ define("_SECONDARY_INFORMATION", "Informations secondaires");
define("_DEST_INFORMATION", "Informations de destination");
define("_XPARAPH_ACCOUNT_DELETED", "Compte xParaph supprimé");
define("_XPARAPH_ACCOUNT_CREATED", "Compte xParaph créé");
+
+define("_FILE_NOT_ALLOWED_INFO_1", "L'extension");
+define("_FILE_NOT_ALLOWED_INFO_2", "avec le type MIME");
+define("_FILE_NOT_ALLOWED_INFO_3", "n'est pas autorisée");
diff --git a/src/core/lang/lang-nl.php b/src/core/lang/lang-nl.php
index 7aa52458b27..a1baa20b791 100755
--- a/src/core/lang/lang-nl.php
+++ b/src/core/lang/lang-nl.php
@@ -492,4 +492,8 @@ define("_DIFFUSION_LIST", "Diffusion list_TO_TRANSLATE");
define("_SECONDARY_INFORMATION", "Secondary informations_TO_TRANSLATE");
define("_DEST_INFORMATION", "Destination informations_TO_TRANSLATE");
define("_XPARAPH_ACCOUNT_DELETED", "xParaph account deleted_TO_TRANSLATE");
-define("_XPARAPH_ACCOUNT_CREATED", "xParaph account created_TO_TRANSLATE");
\ No newline at end of file
+define("_XPARAPH_ACCOUNT_CREATED", "xParaph account created_TO_TRANSLATE");
+
+define("_FILE_NOT_ALLOWED_INFO_1", "This extension_TO_TRANSLATE");
+define("_FILE_NOT_ALLOWED_INFO_2", "with MIME-type_TO_TRANSLATE");
+define("_FILE_NOT_ALLOWED_INFO_3", "is not allowed_TO_TRANSLATE");
--
GitLab