From dcc698164f1f2b43a32b5503716fc7329c203714 Mon Sep 17 00:00:00 2001 From: mark Date: Sun, 31 Jul 2011 08:11:35 +0000 Subject: [PATCH] clean attachment filenames, #13843 --- httemplate/edit/cust_main_attach.cgi | 20 +++++++++++--------- httemplate/edit/process/cust_main_attach.cgi | 10 +++++++--- httemplate/view/cust_main/attachments.html | 6 +++--- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/httemplate/edit/cust_main_attach.cgi b/httemplate/edit/cust_main_attach.cgi index ebbaf3cf3..1677ea7bd 100755 --- a/httemplate/edit/cust_main_attach.cgi +++ b/httemplate/edit/cust_main_attach.cgi @@ -6,19 +6,22 @@ -

- - % if(defined $attach) { % if($curuser->access_right("Download attachment")) { Download this file
% } +% } + +
+
+ +% if ( defined $attach ) { - + - + - + % } % else { # !defined $attach @@ -47,9 +50,8 @@ my $curuser = $FS::CurrentUser::CurrentUser; my $attachnum = ''; my $attach; -if ( $cgi->param('error') ) { - #$comment = $cgi->param('comment'); -} elsif ( $cgi->param('attachnum') =~ /^(\d+)$/ ) { + +if ( $cgi->param('attachnum') =~ /^(\d+)$/ ) { $attachnum = $1; die "illegal query ". $cgi->keywords unless $attachnum; $attach = qsearchs('cust_attachment', { 'attachnum' => $attachnum }); diff --git a/httemplate/edit/process/cust_main_attach.cgi b/httemplate/edit/process/cust_main_attach.cgi index 291135718..09c18adcb 100644 --- a/httemplate/edit/process/cust_main_attach.cgi +++ b/httemplate/edit/process/cust_main_attach.cgi @@ -24,6 +24,10 @@ $cgi->param('attachnum') =~ /^(\d*)$/ or die "Illegal attachnum: ". $cgi->param('attachnum'); my $attachnum = $1; +my $filename = $cgi->param('file'); +# strip directory names; thanks, IE7 +$filename =~ s!.*[\/\\]!!; + my $curuser = $FS::CurrentUser::CurrentUser; my $delete = $cgi->param('delete'); @@ -49,7 +53,7 @@ if($attachnum) { else { map { $new->$_($old->$_) } ('_date', 'otaker', 'body', 'disabled'); - $new->filename($cgi->param('filename') || $old->filename); + $new->filename($filename || $old->filename); $new->mime_type($cgi->param('mime_type') || $old->mime_type); $new->title($cgi->param('title')); if($delete and not $old->disabled) { @@ -62,10 +66,10 @@ if($attachnum) { } else { # This is a new attachment, so require a file. - my $filename = $cgi->param('file'); if($filename) { $new->filename($filename); - $new->mime_type($cgi->uploadInfo($filename)->{'Content-Type'}); + # use the original filename here, not the stripped form + $new->mime_type($cgi->uploadInfo($cgi->param('file'))->{'Content-Type'}); $new->title($cgi->param('title')); local $/; diff --git a/httemplate/view/cust_main/attachments.html b/httemplate/view/cust_main/attachments.html index bdd4f5917..718cf7688 100755 --- a/httemplate/view/cust_main/attachments.html +++ b/httemplate/view/cust_main/attachments.html @@ -85,12 +85,12 @@  <% $attach->usernum ? $attach->access_user->name : $attach->otaker %>
Filename >
>
Description
MIME type
Size <% $attach->size %>
-  <% $attach->filename %> +  <% $attach->filename |h %> -  <% $attach->title %> +  <% $attach->title |h %> -  <% $attach->mime_type %> +  <% $attach->mime_type |h %>  <% size_units( $attach->size ) %> -- 2.11.0