Supporting each other

Community forums

Welcome, Guest

Forum

Main Forum

Bugs and Issues

v3: XML validation for saved and uploaded files

Report any technical problems you discover and discuss solutions.

Page:
1

TOPIC:

v3: XML validation for saved and uploaded files 8 years 8 months ago #3071

jayaich
Topic Author
Offline
Premium Member
Posts: 92
Thank you received: 5

Hello,

Below is a patch to invoke the XML validator when an XML file is saved (from the XOT browser) or uploaded. It does not verify XML files uploaded in a zip file (i.e. as part of a project). Since it seems that XML files can have slightly different MIME types, we only ensure that the last part is '/xml'.

The patch includes a change from an earlier patch which invokes the antivirus/file extension/mime type checks for uploaded files. That is, this patch includes all the changes I have applied to the original v3.0 source file.

--- editor/elfinder/php/elFinder.class.php.orig 2015-07-29 23:17:23.000000000 +0100
+++ editor/elfinder/php/elFinder.class.php      2015-08-24 14:17:44.921577883 +0100
@@ -9,6 +9,9 @@
  * @author Troex Nevelin
  * @author Alexey Sukhotin
  **/
+
+require_once("../../../plugins.php");
+
 class elFinder {
 
        /**
@@ -929,6 +932,18 @@
                        }
 
                        $tmpname = $files['tmp_name'][$i];
+
+                       if (!apply_filters('editor_upload_file', array('name' => array($name), 'tmp_name' => array($tmpname)))) {
+                               $result['warning'] = $this->error(self::ERROR_UPLOAD_FILE, $name, self::ERROR_UPLOAD_TRANSFER, 'Virus checks');
+                               $this->uploadDebug = 'Upload error: file failed virus checks';
+                               break;
+                       }
+
+                       if (substr($files['type'][$i], -4) === '/xml' && !apply_filters('editor_save_data', file_get_contents($tmpname))) {
+                               $result['warning'] = $this->error(self::ERROR_UPLOAD_FILE, $name, self::ERROR_UPLOAD_TRANSFER, 'XML checks');
+                               $this->uploadDebug = 'Upload error: file failed XML checks';
+                               break;
+                       }
 
                        if (($fp = fopen($tmpname, 'rb')) == false) {
                                $result['warning'] = $this->error(self::ERROR_UPLOAD_FILE, $name, self::ERROR_UPLOAD_TRANSFER);
@@ -1025,6 +1040,10 @@
                        return array('error' => $this->error(self::ERROR_SAVE, '#'.$target, self::ERROR_FILE_NOT_FOUND));
                }
 
+               if(substr($file['mime'], -4) === '/xml' && !apply_filters('editor_save_data', $args['content'])) {
+                       return array('error' => $this->error(self::ERROR_SAVE, $volume->path($target), $volume->error(), "File failed XML check"));
+               }
+
                if (($file = $volume->putContents($target, $args['content'])) == false) {
                        return array('error' => $this->error(self::ERROR_SAVE, $volume->path($target), $volume->error()));
                }

John.

Please Log in or Create an account to join the conversation.

v3: XML validation for saved and uploaded files 8 years 4 months ago #3377

tom Offline Administrator Posts: 1293 Thank you received: 308	Just for your infomation, I've not (yet) put this in 3.1
	Please Log in or Create an account to join the conversation.

v3: XML validation for saved and uploaded files 8 years 4 months ago #3379

jayaich Topic Author Offline Premium Member Posts: 92 Thank you received: 5	No problem. I saw the recent announcement of the 3.1 release. We will take a look at 3.1 in the New Year. Happy Christmas to you all, John.
	Please Log in or Create an account to join the conversation.