From 2482260556b8adf661e3e95ccd2f17e8f374f918 Mon Sep 17 00:00:00 2001 From: JLTRY Date: Mon, 30 Dec 2024 21:35:27 +0100 Subject: [PATCH 1/3] Make filename safe adapt PR #23 --- attachments_component/site/src/Helper/AttachmentsHelper.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/attachments_component/site/src/Helper/AttachmentsHelper.php b/attachments_component/site/src/Helper/AttachmentsHelper.php index 84467fb5..14515145 100644 --- a/attachments_component/site/src/Helper/AttachmentsHelper.php +++ b/attachments_component/site/src/Helper/AttachmentsHelper.php @@ -436,10 +436,8 @@ public static function upload_file(&$attachment, &$parent, $attachment_id=false, } // Get the new filename - // (Note: The following replacement is necessary to allow - // single quotes in filenames to work correctly.) - // Trim of any trailing period (to avoid exploits) - $filename = rtrim(StringHelper::str_ireplace("\'", "'", $_FILES['upload']['name']), '.'); + // Make filename safe + $filename = File::makeSafe(strtolower($_FILES['upload']['name'])); $ftype = $_FILES['upload']['type']; // Check the file size From a8c9c15aba6adf2e667a7217116a25cf610e1fcc Mon Sep 17 00:00:00 2001 From: JLTRY Date: Tue, 31 Dec 2024 14:32:31 +0100 Subject: [PATCH 2/3] Make filename safe adapt PR #23 make feature optional --- attachments_component/admin/config.xml | 6 ++++++ .../admin/language/en-GB/en-GB.com_attachments.ini | 2 ++ .../admin/language/fr-FR/fr-FR.com_attachments.ini | 2 ++ .../site/src/Helper/AttachmentsHelper.php | 8 +++++++- 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/attachments_component/admin/config.xml b/attachments_component/admin/config.xml index ddf962a8..99be6710 100644 --- a/attachments_component/admin/config.xml +++ b/attachments_component/admin/config.xml @@ -191,6 +191,12 @@ label="ATTACH_FORBIDDEN_FILENAME_CHARACTERS" size="40" description="ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION"> + + + + diff --git a/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini b/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini index df354ec5..bd0ceae7 100644 --- a/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini +++ b/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini @@ -191,6 +191,8 @@ ATTACH_FILTER="Filter" ATTACH_FILTER_ENTITY_TOOLTIP="Use this option to limit the list of attachments to parents of a particular type." ATTACH_FORBIDDEN_FILENAME_CHARACTERS="Characters forbidden in uploaded filenames" ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Filenames containing these characters will not be allowed to be uploaded. These characters are problematic in the URL presented to the user for file attachments in 'non-secure' mode so they are forbidden. These characters are generally not an issue when using 'secure' mode since the filename is not used as part of the URL presented to the user." +ATTACH_SANITIZE_FILENAME="Sanitize FileName" +ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Sanitize FileName : removes special characters " ATTACH_FORMAT_STRING_FOR_DATES="Format string for dates" ATTACH_FORMAT_STRING_FOR_DATES_DESCRIPTION="The format string for the creation and modification dates. Enter a format string like ones used by the Joomla JDate class format() function (which is based on the PHP class DateTime::format function). Search the web with 'PHP DateTime' for examples. Note that JDate handles translation of month/day names as necessary. The default format string (Y-m-d H:M) gives dates with 24-hour time like 2013-01-05 16:21." ATTACH_FOR_PARENT_S_COLON_S="For %s: '%s'" diff --git a/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini b/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini index 217fa4f2..79c777b6 100644 --- a/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini +++ b/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini @@ -190,6 +190,8 @@ ATTACH_FILTER="Filtre" ATTACH_FILTER_ENTITY_TOOLTIP=" Utilisez cette option pour limiter la liste des pièces jointes aux parents d'un type en particulier." ATTACH_FORBIDDEN_FILENAME_CHARACTERS="Caractères interdits dans les noms des fichiers à envoyer" ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Les noms de fichiers contenant ces caractères ne pourront pas être envoyés. Ces caractères posent problème dans l'URL présentée à l'utilisateur dans le mode 'non sécurisé', ils sont donc interdits. Ces caractères ne sont généralement pas un problème quand vous utilisez le mode 'sécurisé'." +ATTACH_SANITIZE_FILENAME="Nettoie les noms des fichiers" +ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Nettoie les noms des fichiers : enlève les caractèrer speciaux" ATTACH_FORMAT_STRING_FOR_DATES="Format de chaine pour les dates" ATTACH_FORMAT_STRING_FOR_DATES_DESCRIPTION="Format de chaine pour la création et la modification des dates. Entrez un format de chaine comme celui utilisé par la Classe de fonction format() Joomla JDate (qui est basée sur la classe de fonction PHP DateTime::format). Rechercher sur le web avec 'PHP DateTime' par exemple. Notez que JDate gère la traduction des Jours/mois quand c'est nécessaire. La chaine de format (Y-m-d H:M) renvoie par défaut les dates en format 24h comme dans 2013-01-05 16:21." ATTACH_FOR_PARENT_S_COLON_S="Pour %s: '%s'" diff --git a/attachments_component/site/src/Helper/AttachmentsHelper.php b/attachments_component/site/src/Helper/AttachmentsHelper.php index 14515145..b723ec8a 100644 --- a/attachments_component/site/src/Helper/AttachmentsHelper.php +++ b/attachments_component/site/src/Helper/AttachmentsHelper.php @@ -437,7 +437,13 @@ public static function upload_file(&$attachment, &$parent, $attachment_id=false, // Get the new filename // Make filename safe - $filename = File::makeSafe(strtolower($_FILES['upload']['name'])); + $filename_safe = $params->get('sanitize_filename_characters', false); + if ( $filename_safe ) { + $filename = File::makeSafe(strtolower($_FILES['upload']['name'])); + } else { + // Trim of any trailing period (to avoid exploits) + $filename = rtrim(StringHelper::str_ireplace("\'", "'", $_FILES['upload']['name']), '.'); + } $ftype = $_FILES['upload']['type']; // Check the file size From 68802561cbf737f2478a151e131eb6673966b380 Mon Sep 17 00:00:00 2001 From: Theofilos Intzoglou Date: Tue, 31 Dec 2024 16:35:26 +0200 Subject: [PATCH 3/3] Add greek translation and fix translation constants --- .../admin/language/el-GR/el-GR.com_attachments.ini | 2 ++ .../admin/language/en-GB/en-GB.com_attachments.ini | 4 ++-- .../admin/language/fr-FR/fr-FR.com_attachments.ini | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/attachments_component/admin/language/el-GR/el-GR.com_attachments.ini b/attachments_component/admin/language/el-GR/el-GR.com_attachments.ini index 7f3868a7..d7e099cf 100644 --- a/attachments_component/admin/language/el-GR/el-GR.com_attachments.ini +++ b/attachments_component/admin/language/el-GR/el-GR.com_attachments.ini @@ -278,6 +278,8 @@ ATTACH_RELATIVE_URL_TOOLTIP="Επιλέξτε αυτό το κουτί για ν ATTACH_RESET="Επαναφορά" ATTACH_RESET_ORDER="Επαναφορά Ταξινόμησης" ATTACH_SAVE="Αποθήκευση" +ATTACH_SANITIZE_FILENAME="Εκκαθάριση Ονόματος Αρχείου" +ATTACH_SANITIZE_FILENAME_DESCRIPTION="Εκκαθάριση Ονόματος Αρχείου : αφαιρεί τους ειδικούς χαρακτήρες" ATTACH_SECURE_ATTACHMENT_DOWNLOADS="Ασφαλείς λήψεις συνημμένων" ATTACH_SECURE_ATTACHMENT_DOWNLOADS_DESCRIPTION="Χρησιμοποιήστε ασφαλείς λήψεις συνημμένων. Όταν χρησιμοποιούνται ασφαλείς λήψεις, μόνο οι χρήστες με κατάλληλα δικαιώματα θα μπορούν να κατεβάσουν τα συνημμένα. Σημείωση: Σε 'ασφαλή' λειτουργία, η λίστα συνημμένων δεν εμφανίζεται όταν ο χρήστης δεν έχει συνδεθεί (εκτός αν η επιλογή 'Εμφάνιση συνημμένων σε ασφαλή κατάσταση' έχει οριστεί σε 'Ναι')." ATTACH_SELECT_ENTITY_S="Επιλέξτε %s" diff --git a/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini b/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini index bd0ceae7..a70cb97d 100644 --- a/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini +++ b/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini @@ -191,8 +191,6 @@ ATTACH_FILTER="Filter" ATTACH_FILTER_ENTITY_TOOLTIP="Use this option to limit the list of attachments to parents of a particular type." ATTACH_FORBIDDEN_FILENAME_CHARACTERS="Characters forbidden in uploaded filenames" ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Filenames containing these characters will not be allowed to be uploaded. These characters are problematic in the URL presented to the user for file attachments in 'non-secure' mode so they are forbidden. These characters are generally not an issue when using 'secure' mode since the filename is not used as part of the URL presented to the user." -ATTACH_SANITIZE_FILENAME="Sanitize FileName" -ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Sanitize FileName : removes special characters " ATTACH_FORMAT_STRING_FOR_DATES="Format string for dates" ATTACH_FORMAT_STRING_FOR_DATES_DESCRIPTION="The format string for the creation and modification dates. Enter a format string like ones used by the Joomla JDate class format() function (which is based on the PHP class DateTime::format function). Search the web with 'PHP DateTime' for examples. Note that JDate handles translation of month/day names as necessary. The default format string (Y-m-d H:M) gives dates with 24-hour time like 2013-01-05 16:21." ATTACH_FOR_PARENT_S_COLON_S="For %s: '%s'" @@ -280,6 +278,8 @@ ATTACH_RELATIVE_URL_TOOLTIP="Check this box to enter a URL relative to this Joom ATTACH_RESET="Reset" ATTACH_RESET_ORDER="Reset Order" ATTACH_SAVE="Save" +ATTACH_SANITIZE_FILENAME="Sanitize FileName" +ATTACH_SANITIZE_FILENAME_DESCRIPTION="Sanitize FileName : removes special characters " ATTACH_SECURE_ATTACHMENT_DOWNLOADS="Secure attachment downloads" ATTACH_SECURE_ATTACHMENT_DOWNLOADS_DESCRIPTION="Use secure attachment downloads. When secure downloads are used, only users with appropriate permissions will be able to download the attachments. Note: In 'secure' mode, the attachments list is not displayed when the user is not logged in (unless the 'List attachments in secure mode' option is set to 'True')." ATTACH_SELECT_ENTITY_S="Select %s" diff --git a/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini b/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini index 79c777b6..0206dead 100644 --- a/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini +++ b/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini @@ -190,8 +190,6 @@ ATTACH_FILTER="Filtre" ATTACH_FILTER_ENTITY_TOOLTIP=" Utilisez cette option pour limiter la liste des pièces jointes aux parents d'un type en particulier." ATTACH_FORBIDDEN_FILENAME_CHARACTERS="Caractères interdits dans les noms des fichiers à envoyer" ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Les noms de fichiers contenant ces caractères ne pourront pas être envoyés. Ces caractères posent problème dans l'URL présentée à l'utilisateur dans le mode 'non sécurisé', ils sont donc interdits. Ces caractères ne sont généralement pas un problème quand vous utilisez le mode 'sécurisé'." -ATTACH_SANITIZE_FILENAME="Nettoie les noms des fichiers" -ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Nettoie les noms des fichiers : enlève les caractèrer speciaux" ATTACH_FORMAT_STRING_FOR_DATES="Format de chaine pour les dates" ATTACH_FORMAT_STRING_FOR_DATES_DESCRIPTION="Format de chaine pour la création et la modification des dates. Entrez un format de chaine comme celui utilisé par la Classe de fonction format() Joomla JDate (qui est basée sur la classe de fonction PHP DateTime::format). Rechercher sur le web avec 'PHP DateTime' par exemple. Notez que JDate gère la traduction des Jours/mois quand c'est nécessaire. La chaine de format (Y-m-d H:M) renvoie par défaut les dates en format 24h comme dans 2013-01-05 16:21." ATTACH_FOR_PARENT_S_COLON_S="Pour %s: '%s'" @@ -279,6 +277,8 @@ ATTACH_RELATIVE_URL_TOOLTIP="Cochez cette case pour entrer une adresse relative ATTACH_RESET="Réinitialiser" ATTACH_RESET_ORDER="Réinitialiser l'ordre" ATTACH_SAVE="Enregistrer" +ATTACH_SANITIZE_FILENAME="Nettoie les noms des fichiers" +ATTACH_SANITIZE_FILENAME_DESCRIPTION="Nettoie les noms des fichiers : enlève les caractèrer speciaux" ATTACH_SECURE_ATTACHMENT_DOWNLOADS="Téléchargement de pièces jointes sécurisé" ATTACH_SECURE_ATTACHMENT_DOWNLOADS_DESCRIPTION="Utilise le téléchargement de pièces jointes sécurisé. Quand les téléchargements sécurisés sont utilisés, seuls les utilisateurs avec les permissions appropriées peuvent télécharger les pièces jointes. Note: Dans le mode «sécurisé», la liste des pièces jointes n'est pas affichée quand l'utilisateur n'est pas enregistré (A moins que l'option 'Liste de pièces jointes sécurisé' soit placée sur 'Oui')." ATTACH_SELECT_ENTITY_S="Selectionnez %s"