| Index: branches/uploadwizard/phase3/includes/upload/SessionStash.php |
| — | — | @@ -12,6 +12,12 @@ |
| 13 | 13 | * |
| 14 | 14 | */ |
| 15 | 15 | class SessionStash { |
| | 16 | + // Format of the key for files -- has to be suitable as a filename itself in some cases. |
| | 17 | + // This should encompass a sha1 content hash in hex (new style), or an integer (old style), |
| | 18 | + // and also thumbnails with prepended strings like "120px-". |
| | 19 | + // The file extension should not be part of the key. |
| | 20 | + const KEY_FORMAT_REGEX = '/^[\w-]+$/'; |
| | 21 | + |
| 16 | 22 | // repository that this uses to store temp files |
| 17 | 23 | protected $repo; |
| 18 | 24 | |
| — | — | @@ -65,7 +71,11 @@ |
| 66 | 72 | * @throws SessionStashBadVersionException |
| 67 | 73 | * @return {SessionStashItem} null if no such item or item out of date, or the item |
| 68 | 74 | */ |
| 69 | | - public function getFile( $key ) { |
| | 75 | + public function getFile( $key ) { |
| | 76 | + if ( ! preg_match( self::KEY_FORMAT_REGEX, $key ) ) { |
| | 77 | + throw new SessionStashBadPathException( "key '$key' is not in a proper format" ); |
| | 78 | + } |
| | 79 | + |
| 70 | 80 | if ( !isset( $this->files[$key] ) ) { |
| 71 | 81 | if ( !isset( $_SESSION[UploadBase::SESSION_KEYNAME][$key] ) ) { |
| 72 | 82 | throw new SessionStashFileNotFoundException( "key '$key' not found in session" ); |
| — | — | @@ -113,6 +123,10 @@ |
| 114 | 124 | $key = $fileProps['sha1']; |
| 115 | 125 | } |
| 116 | 126 | |
| | 127 | + if ( ! preg_match( self::KEY_FORMAT_REGEX, $key ) ) { |
| | 128 | + throw new SessionStashBadPathException( "key '$key' is not in a proper format" ); |
| | 129 | + } |
| | 130 | + |
| 117 | 131 | // if not already in a temporary area, put it there |
| 118 | 132 | $status = $this->repo->storeTemp( basename( $path ), $path ); |
| 119 | 133 | if( ! $status->isOK() ) { |
| Index: branches/uploadwizard/phase3/includes/specials/SpecialSessionStash.php |
| — | — | @@ -92,25 +92,22 @@ |
| 93 | 93 | if ( $n !== false ) { |
| 94 | 94 | $key = $n ? substr( $subPage, 0, $n ) : $subPage; |
| 95 | 95 | } |
| 96 | | - |
| | 96 | + |
| 97 | 97 | try { |
| 98 | 98 | $file = $this->stash->getFile( $key ); |
| 99 | 99 | } catch ( SessionStashFileNotFoundException $e ) { |
| 100 | 100 | // if we couldn't find it, and it looks like a thumbnail, |
| 101 | 101 | // and it looks like we have the original, go ahead and generate it |
| 102 | 102 | $matches = array(); |
| 103 | | - // FIXME: This code assumes all kinds of constraints apply to file keys: |
| 104 | | - // they can't contain whitespace, and keys for original files can't contain dashes. |
| 105 | | - // These assumptions should be documented and/or enforced --RK |
| 106 | | - if ( ! preg_match( '/^(\d+)px-(\S+)$/', $key, $matches ) ) { |
| | 103 | + if ( ! preg_match( '/^(\d+)px-(.*)$/', $key, $matches ) ) { |
| 107 | 104 | // that doesn't look like a thumbnail. re-raise exception |
| 108 | 105 | throw $e; |
| 109 | 106 | } |
| 110 | 107 | |
| 111 | | - $width = $matches[1]; |
| 112 | | - $origKey = $matches[2]; |
| | 108 | + list( $dummy, $width, $origKey ) = $matches; |
| 113 | 109 | |
| 114 | | - // do not trap exceptions, if not found let exceptions propagate to caller. |
| | 110 | + // do not trap exceptions, if key is in bad format, or file not found, |
| | 111 | + // let exceptions propagate to caller. |
| 115 | 112 | $origFile = $this->stash->getFile( $origKey ); |
| 116 | 113 | |
| 117 | 114 | // ok we're here so the original must exist. Generate the thumbnail. |