diff options
| author | mark <mark> | 2011-07-31 08:11:51 +0000 |
|---|---|---|
| committer | mark <mark> | 2011-07-31 08:11:51 +0000 |
| commit | ecacdc093c236a548e819406dbbd56067ec352e4 (patch) | |
| tree | e304739c91a800e9dfb258f01e7292e016dd008a /httemplate | |
| parent | 8540e77a4e36da552b518c13200e07570182676b (diff) | |
clean attachment filenames, #13843
Diffstat (limited to 'httemplate')
| -rwxr-xr-x | httemplate/edit/cust_main_attach.cgi | 20 | ||||
| -rw-r--r-- | httemplate/edit/process/cust_main_attach.cgi | 10 | ||||
| -rwxr-xr-x | httemplate/view/cust_main/attachments.html | 6 |
3 files changed, 21 insertions, 15 deletions
diff --git a/httemplate/edit/cust_main_attach.cgi b/httemplate/edit/cust_main_attach.cgi index 4d9688fe9..0880c760a 100755 --- a/httemplate/edit/cust_main_attach.cgi +++ b/httemplate/edit/cust_main_attach.cgi @@ -6,19 +6,22 @@ <INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>"> <INPUT TYPE="hidden" NAME="attachnum" VALUE="<% $attachnum %>"> -<BR><BR> - -<TABLE BGCOLOR="#cccccc" CELLSPACING=0> % if(defined $attach) { % if($curuser->access_right("Download attachment")) { <A HREF="<% $p.'view/attachment.html?'.$attachnum %>">Download this file</A><BR> % } +% } + +<BR> +<TABLE BGCOLOR="#cccccc" CELLSPACING=0> + +% if ( defined $attach ) { <TR><TD> Filename </TD> -<TD><INPUT TYPE="text" NAME="filename" SIZE=40 MAXLENGTH=255 VALUE="<% $attach->filename %>"<% $disabled %>></TD></TR> +<TD><INPUT TYPE="text" NAME="file" SIZE=40 MAXLENGTH=255 VALUE="<% $cgi->param('file') || $attach->filename |h %>"<% $disabled %>></TD></TR> <TR><TD> Description </TD> -<TD><INPUT TYPE="text" NAME="title" SIZE=40 MAXLENGTH=80 VALUE="<% $attach->title %>"<% $disabled %></TD></TR> +<TD><INPUT TYPE="text" NAME="title" SIZE=40 MAXLENGTH=80 VALUE="<% $cgi->param('title') || $attach->title |h %>"<% $disabled %></TD></TR> <TR><TD> MIME type </TD> -<TD><INPUT TYPE="text" NAME="mime_type" VALUE="<% $attach->mime_type %>"<% $disabled %></TD></TR> +<TD><INPUT TYPE="text" NAME="mime_type" SIZE=40 VALUE="<% $cgi->param('mime_type') || $attach->mime_type |h %>"<% $disabled %></TD></TR> <TR><TD> Size </TD><TD><% $attach->size %></TD></TR> % } % else { # !defined $attach @@ -47,9 +50,8 @@ my $curuser = $FS::CurrentUser::CurrentUser; my $attachnum = ''; my $attach; -if ( $cgi->param('error') ) { - #$comment = $cgi->param('comment'); -} elsif ( $cgi->param('attachnum') =~ /^(\d+)$/ ) { + +if ( $cgi->param('attachnum') =~ /^(\d+)$/ ) { $attachnum = $1; die "illegal query ". $cgi->keywords unless $attachnum; $attach = qsearchs('cust_attachment', { 'attachnum' => $attachnum }); diff --git a/httemplate/edit/process/cust_main_attach.cgi b/httemplate/edit/process/cust_main_attach.cgi index 291135718..09c18adcb 100644 --- a/httemplate/edit/process/cust_main_attach.cgi +++ b/httemplate/edit/process/cust_main_attach.cgi @@ -24,6 +24,10 @@ $cgi->param('attachnum') =~ /^(\d*)$/ or die "Illegal attachnum: ". $cgi->param('attachnum'); my $attachnum = $1; +my $filename = $cgi->param('file'); +# strip directory names; thanks, IE7 +$filename =~ s!.*[\/\\]!!; + my $curuser = $FS::CurrentUser::CurrentUser; my $delete = $cgi->param('delete'); @@ -49,7 +53,7 @@ if($attachnum) { else { map { $new->$_($old->$_) } ('_date', 'otaker', 'body', 'disabled'); - $new->filename($cgi->param('filename') || $old->filename); + $new->filename($filename || $old->filename); $new->mime_type($cgi->param('mime_type') || $old->mime_type); $new->title($cgi->param('title')); if($delete and not $old->disabled) { @@ -62,10 +66,10 @@ if($attachnum) { } else { # This is a new attachment, so require a file. - my $filename = $cgi->param('file'); if($filename) { $new->filename($filename); - $new->mime_type($cgi->uploadInfo($filename)->{'Content-Type'}); + # use the original filename here, not the stripped form + $new->mime_type($cgi->uploadInfo($cgi->param('file'))->{'Content-Type'}); $new->title($cgi->param('title')); local $/; diff --git a/httemplate/view/cust_main/attachments.html b/httemplate/view/cust_main/attachments.html index 1ad857e47..d51d82645 100755 --- a/httemplate/view/cust_main/attachments.html +++ b/httemplate/view/cust_main/attachments.html @@ -86,12 +86,12 @@ <% $attach->usernum ? $attach->access_user->name : $attach->otaker %> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"> - <% $attach->filename %> + <% $attach->filename |h %> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"> - <% $attach->title %> + <% $attach->title |h %> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"> - <% $attach->mime_type %> + <% $attach->mime_type |h %> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"> <% size_units( $attach->size ) %> |