From 417db62419c27a3dc76484019d129b7caa7e0d5e Mon Sep 17 00:00:00 2001 From: Joshua Ramon Enslin Date: Sun, 1 Sep 2019 20:46:55 +0200 Subject: [PATCH] Add checks for accessibility of queried file names --- index2.php | 75 ----------------------------------------------- index4.php | 34 +++++++++++++--------- index6.php | 85 ++++++++++++++++++++++++++++++++++-------------------- upload.php | 3 +- 4 files changed, 74 insertions(+), 123 deletions(-) delete mode 100644 index2.php diff --git a/index2.php b/index2.php deleted file mode 100644 index 328cd48..0000000 --- a/index2.php +++ /dev/null @@ -1,75 +0,0 @@ -'; -echo ''; -echo ''; -echo ''; -echo ''; -echo '
'; -echo 'Please wait ... (transforming)
'; -require_once 'inc/zeichen.php'; -$filename = $_GET['fnam']; -$csv_datei = 'csv/' . $filename; - -mkdir("xml", 0755); -$fp = fopen ( $csv_datei, 'r' ); -$y = 0; -while ($zeile = fgetcsv($fp, 100000, ';')) { - - $y++; - $zieldatei = 'xml/' . $y . '.xml'; - if (!$handle = fopen($zieldatei, 'w')) { - echo "Cannot open file ($zieldatei)";exit; - } - $somecontent = '' . "\n"; // normal - $somecontent = $somecontent . '' . "\n"; - - for ($x = 0; $x < count ($zeile); $x++) { - $inhalt[$y][$x] = $zeile[$x]; - //if ($inhalt[$y][$x]=='') $inhalt[$y][$x]='ERSATZ'; - $somecontent = $somecontent . '<' . tagify(transform($inhalt[1][$x])) . '>' . transform($inhalt[$y][$x]) . '' . "\n"; //normaleinstellung - } - $somecontent = $somecontent . ''; - if (fwrite($handle, $somecontent) === FALSE) { - echo "Cannot write to file ($filename)";exit; - } - fclose($handle); -} -fclose($fp); -echo ($y - 1) . ' files created'; -echo '
Download as zip'; -echo '
'; -echo ''; - -echo ' - - - -'; diff --git a/index4.php b/index4.php index 40a0c50..bffe7b3 100644 --- a/index4.php +++ b/index4.php @@ -24,13 +24,20 @@ else if (!isset($_SESSION['lang'])) { $lang = $_SESSION['lang']; require __DIR__ . "/translation-importer/$lang/csvxml-overview.php"; +require __DIR__ . '/inc/zeichen.php'; -require 'inc/zeichen.php'; -$filename = $_GET['fnam']; -$csv_datei = 'csv/' . $filename; +if (empty($filename = trim($_GET['fnam'], " ,./"))) { + echo "Error: Invalid file name"; + exit; +} +$csv_datei = __DIR__ . '/csv/' . $filename; +if (!file_exists($csv_datei)) { + echo "Error: The CSV file does not exist."; + exit; +} if (is_dir(__DIR__ . "/xml")) rrmdir(__DIR__ . '/xml'); -mkdir("xml", 0755); +mkdir(__DIR__ . "/xml", 0755); $fp = fopen ($csv_datei, 'r'); $y = 0; @@ -42,18 +49,20 @@ while ($zeile = fgetcsv($fp, 100000, ';')) { echo "Cannot open file ($zieldatei)";exit; } $somecontent = '' . "\n"; // für Ungarn /////////////////////////////////// - $somecontent = $somecontent . '' . "\n"; + $somecontent .= '' . "\n"; + + $lineCount = count($zeile); + for ($x = 0; $x < $lineCount; $x++) { - for ($x = 0; $x < count ( $zeile ); $x++) - { $inhalt[$y][$x] = $zeile[$x]; $inhalt[$y][$x] = preg_replace('/[\x00-\x1F\x7F]/u', '', $inhalt[$y][$x]); $inhalt[$y][$x] = str_replace('>', ']', str_replace('<', '[', $inhalt[$y][$x])); if (empty($inhalt[$y][$x])) continue; //if ($y!=1) $inhalt[$y][$x] = ''; $somecontent = $somecontent . '<' . tagify(transform($inhalt[1][$x])) . '>' . (($inhalt[$y][$x])) . '' . "\n"; //für ungarn sonst weg } + } - $somecontent = $somecontent . ''; + $somecontent .= ''; if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)";exit; } @@ -66,13 +75,10 @@ echo printHTMLHead(); echo '
- Please wait ... (transforming) -
- ' . ($y - 1) . ' files created -
- Download as zip - +
+ Download as zip +
'; echo ' diff --git a/index6.php b/index6.php index 884bdf4..38542d6 100644 --- a/index6.php +++ b/index6.php @@ -1,48 +1,66 @@ '; -echo '
'; -echo 'museum-digital CSV to XML converter'; -echo '
'; -echo '
'; -$semikoma = $_GET['semikoma']; -echo ''; -echo ''; -echo ''; -echo ''; -echo '
'; -echo 'Please wait ... (transforming)
'; +declare(strict_types = 1); +error_reporting(E_ALL); +ini_set('display_errors', "1"); -require 'inc/zeichen.php'; -$filename = $_GET['fnam']; -$csv_datei = 'csv/' . $filename; +require_once __DIR__ . "/functions/functions.php"; -if (!file_exists("xml")) { - mkdir("xml", 0700); +if (session_status() != PHP_SESSION_ACTIVE) { + session_start(); } -$fp = fopen ( $csv_datei, 'r' ); +// This array contains all available languages +$allowed_langs = ['ar', 'de', 'en', 'hu', 'id', 'it', 'pl','pt']; + +// Some languages are in translation. They will only be available for logged in users. + +if (isset($_GET['navlang'])) { + $_SESSION['lang'] = $_GET['navlang']; + if (!in_array($_SESSION['lang'], $allowed_langs)) $_SESSION['lang'] = 'de'; +} +else if (!isset($_SESSION['lang'])) { + $_SESSION['lang'] = lang_getfrombrowser($allowed_langs, 'en', "", false); +} +$lang = $_SESSION['lang']; + +require __DIR__ . '/inc/zeichen.php'; + +if (empty($filename = trim($_GET['fnam'], " ,./"))) { + echo "Error: Invalid file name"; + exit; +} +$csv_datei = __DIR__ . '/csv/' . $filename; +if (!file_exists($csv_datei)) { + echo "Error: The CSV file does not exist."; + exit; +} + +if (is_dir(__DIR__ . "/xml")) rrmdir(__DIR__ . '/xml'); +mkdir(__DIR__ . "/xml", 0755); + +$fp = fopen ($csv_datei, 'r'); $y = 0; -while ( $zeile = fgetcsv ( $fp, 100000, ';' ) ) -{ +while ($zeile = fgetcsv($fp, 100000, ';')) { + $y++; - //echo 'Zeile='.$y.' Anzahl in Zeile: '.count ( $zeile ).'
'; $zieldatei = 'xml/' . $y . '.xml'; if (!$handle = fopen($zieldatei, 'w')) { echo "Cannot open file ($zieldatei)";exit; } $somecontent = '' . "\n"; // für Ungarn /////////////////////////////////// /*$somecontent=''."\n"; // normal */ - $somecontent = $somecontent . '' . "\n"; + $somecontent .= '' . "\n"; - for ($x = 0; $x < count ( $zeile ); $x++) - { + $lineCount = count($zeile); + + for ($x = 0; $x < $lineCount; $x++) { $inhalt[$y][$x] = $zeile[$x]; - //echo ''.$inhalt[1][$x].' --> '.$zeile[$x].'
'; if ($inhalt[$y][$x] == '') $inhalt[$y][$x] = 'ERSATZ'; - //$somecontent=$somecontent.'<'.tagify(transform($inhalt[1][$x])).'>'.utf8_decode(transform($inhalt[$y][$x])).''."\n"; // für utf8 $somecontent = $somecontent . '<' . tagify(transform($inhalt[1][$x])) . '>' . (($inhalt[$y][$x])) . '' . "\n"; //für ungarn sonst weg ////////////////////////////////////////////////////////////// - //$somecontent=$somecontent.'<'.tagify(transform($inhalt[1][$x])).'>'.transform($inhalt[$y][$x]).''."\n"; //normaleinstellung } - $somecontent = $somecontent . '
'; + + $somecontent .= '
'; //if ($y>1) //{ if (fwrite($handle, $somecontent) === FALSE) { @@ -54,9 +72,12 @@ while ( $zeile = fgetcsv ( $fp, 100000, ';' ) ) } fclose($fp); -echo ($y - 1) . ' files created'; -echo '
Download as zip'; -echo '
'; -echo '
'; + +echo printHTMLHead(); + +echo ' +
+ ' . ($y - 1) . ' files created
+
+ Download as ZIP +
'; diff --git a/upload.php b/upload.php index 217534f..cde756b 100644 --- a/upload.php +++ b/upload.php @@ -23,10 +23,9 @@ echo printHTMLHead(); echo "

The file has been uploaded: " . basename( $_FILES['uploaded']['name']) . ".

-
+

How to proceed?