And the fix i added works ?
Very very strange. Fix is enabled only if magic_quotes is on ?
What is return of function
print file_exists("magic_quotes_gpc")
and
print magic_quotes_gpc();2012/6/2 Régis Houssin <[email protected]> > yes but my php is 5.3.6 with no magic_quote ! strange ! > > > Le 02/06/12 13:46, Laurent Destailleur (eldy) a écrit : > > Yes. The initial sentence should be read like this : > > > > "Note also that, IF YOU USE RECOMMANDED PHP SETUP, strisplashes should > > never..." > > instead of > > "Note also that strisplashes should never..." > > > > If using old php setup (magi_quote_gpc), php make some undesired > > escaping that are not HTML, Shell, nor PHP, nor database escaping. > > striplashes was provided to solve this problem. So it can be used in > > main (to solve the PHP bug) but not into core business code. It could be > > removed completely when everybody will use a recent php version that > > does not contains this feature (considered as a bug by php team now, > > that's why this feautre is now complety removed in last php 5.4.0 > version). > > > > > > Le 01/06/2012 21:04, Régis Houssin a écrit : > >> yes > >> > >> but your comment: > >> > >> "Note also that strisplashes should never be used anywhere in the code, > >> because strislashes is nor a HTML escape, nor a javascrip escape, nor a > >> shell or PHP escape function. If stripslashes is used somewhere, this > >> means there is a bug somewhere else." > >> > >> well you use it precisely in the main.inc.php :-) > >> > >> return (is_array($value) ? array_map('stripslashes_deep', $value) : > >> stripslashes($value)); > >> > >> > >> > >> > >> Le 01/06/12 20:54, Laurent Destailleur (eldy) a écrit : > >>> I think i found the bug. > >>> I tried a fix into dev branch. Regis, does it works for you ? > >>> > >>> > >>> Le 01/06/2012 20:43, Régis Houssin a écrit : > >>>> yes but I added this in the function dol_unescape_file > >>>> > >>>> return trim(basename(stripslashes($filename)), ".\x00..\x20"); > >>>> > >>>> you tried just making a "return $filename" ? > >>>> > >>>> you which version of php ? > >>>> > >>>> > >>>> > >>>> > >>>> Le 01/06/12 20:23, Laurent Destailleur (eldy) a écrit : > >>>>> Hum, strange. > >>>>> If i use Capture d'ecran.docx > >>>>> i get into $_FILES > >>>>> Capture d'ecran.docx > >>>>> > >>>>> and not > >>>>> Capture d'ecran.docx > >>>>> > >>>>> A cake will be offered to people who can explain this difference ! > >>>>> Well, we must find what is the criteria tha make this difference > >>>>> and use > >>>>> it to put a if inside the dol_unescape_file to have upload working on > >>>>> all situation. > >>>>> > >>>>> Can you send me your php.ini. I will compare with mine. > >>>>> > >>>>> > >>>>> > >>>>> Le 01/06/2012 11:13, Régis Houssin a écrit : > >>>>>> i use this file name : Capture d'ecran.docx > >>>>>> my function : > >>>>>> > >>>>>> trim(basename(stripslashes($filename)), ".\x00..\x20"); > >>>>>> > >>>>>> common function found around the internet and can clean the file > >>>>>> name in > >>>>>> $ _FILES > >>>>>> > >>>>>> > >>>>>> print $_FILES : Capture d\'ecran.docx > >>>>>> > >>>>>> > >>>>>> with my function : > >>>>>> files is record with name : Capture d'ecran.docx > >>>>>> source code in link: Capture+d%27ecran.docx > >>>>>> > >>>>>> without my function: > >>>>>> files is record with name : Capture d\'ecran.docx > >>>>>> source code in link : Capture+d%5C%27ecran.docx > >>>>>> the file does not delete when I click on the trash > >>>>>> > >>>>>> > >>>>>> > >>>>>> Le 01/06/12 10:42, Laurent Destailleur (eldy) a écrit : > >>>>>>> I made a fix into dol_unescapefile file because file uplaod was > >>>>>>> broken > >>>>>>> on linux and windows. > >>>>>>> I had to remove the stripslashes. I don't see a reason to have > >>>>>>> it. May > >>>>>>> be there is a diff between mac and linux when uploading a file ? > >>>>>>> > >>>>>>> If you upload a file called > >>>>>>> a'b > >>>>>>> the $_FILES['userfile']['name']; exit; > >>>>>>> a'b > >>>>>>> > >>>>>>> Regis, can you confirm that submitting a file called > >>>>>>> a'b > >>>>>>> is still > >>>>>>> a'b > >>>>>>> if you make: > >>>>>>> > >>>>>>> print $_FILES['userfile']['name']; exit; > >>>>>>> > >>>>>>> just after the main.inc.php of a submitted document.php page (you > >>>>>>> must > >>>>>>> make show source of html page to see real content, for example with > >>>>>>> htdocs/societe/documents.php) ? > >>>>>>> > >>>>>>> > >>>>>> Cordialement, > >>>> Cordialement, > >> Cordialement, > > > > Cordialement, > -- > Régis Houssin > --------------------------------------------------------- > Cap-Networks > Cidex 1130 > 34, route de Gigny > 71240 MARNAY > FRANCE > VoIP: +33 1 83 62 40 03 > GSM: +33 6 33 02 07 97 > Web: http://www.cap-networks.com/ > Email: [email protected] > > Dolibarr developer: [email protected] > Web Portal: http://www.dolibarr.fr/ > SaaS offers: http://www.dolibox.fr/ > Shop: http://www.dolistore.com/ > Development platform: https://doliforge.org/ > --------------------------------------------------------- >
_______________________________________________ Dolibarr-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
