--- docman.php 2002/07/27 19:27:22 1.6 +++ docman.php 2002/07/27 19:56:32 1.8 @@ -1076,13 +1076,15 @@ function try_rename($from,$to) { # print "$from -> $to\n"; if (file_exists($from) && is_writeable(dirname($to))) { - rename($from,$to); + return rename($from,$to); + } else { + return 0; } } function try_dir($todir) { if (! file_exists($todir)) { - mkdir($todir,0700); + @mkdir($todir,0700); } } @@ -1092,7 +1094,7 @@ # print "
$fromdir / $fromfile -> $todir / $tofile\n\n"; - try_rename("$fromdir/$fromfile","$todir/$tofile"); + if (! try_rename("$fromdir/$fromfile","$todir/$tofile")) Error("Rename error","Can't rename file $fromfile to $tofile",1); try_dir("$todir/.log"); try_rename("$fromdir/.log/$fromfile","$todir/.log/$tofile"); try_dir("$todir/.note"); @@ -1606,18 +1608,19 @@ switch ($HTTP_POST_VARS["POSTACTION"]) { case "UPLOAD" : $FN_name=stripSlashes($HTTP_POST_FILES["FN"]["tmp_name"]); + $FN=stripSlashes($HTTP_POST_FILES["FN"]["name"]); if (!is_writeable($fsDir)) Error("Write denied",$relDir) ; - if (strstr($FN_name,"/")) - Error("Non-conforming filename") ; - // TODO : should rather check for escapeshellcmds - // but maybe RFC 18xx asserts safe filenames .... + $source = $FN_name ; if (! file_exists($source)) { Error("You must select file with browse to upload it!"); } + $FILENAME = $HTTP_POST_VARS["FILENAME"]; + if (strstr($FILENAME,"/")) + Error("Upload error","Non-conforming filename. Filename $FILENAME has slashes (/) in it.") ; if (! isset($FILENAME)) { // from update file - $target = "$fsDir/$FN_name" ; + $target = "$fsDir/".basename($FN_name); } else { $target = "$fsDir/$FILENAME"; } @@ -1750,11 +1753,13 @@ case "RENAME" : if ( $CONFIRM != "on" ) break ; + $NEWNAME=stripSlashes($HTTP_POST_VARS["NEWNAME"]); LogIt("$fsDir/$FN","renamed $FN to $NEWNAME",trperm_r); safe_rename($fsDir,$FN,$NEWNAME); break ; case "NOTE" : + $NOTE=stripSlashes($HTTP_POST_VARS["NOTE"]); WriteNote("$fsDir/$FN","$NOTE"); break ;