Diff for /loncom/publisher/loncfile.pm between versions 1.105 and 1.106

version 1.105, 2010/12/14 16:26:04 version 1.106, 2011/03/01 01:36:55
Line 348  sub cleanDest { Line 348  sub cleanDest {
     my ($request,$dest,$subdir,$fn,$uname)=@_;      my ($request,$dest,$subdir,$fn,$uname)=@_;
     #remove bad characters      #remove bad characters
     my $foundbad=0;      my $foundbad=0;
       my $error='';
     if ($subdir && $dest =~/\./) {      if ($subdir && $dest =~/\./) {
  $foundbad=1;   $foundbad=1;
  $dest=~s/\.//g;   $dest=~s/\.//g;
Line 359  sub cleanDest { Line 360  sub cleanDest {
     }      }
     if ($dest=~m|/|) {      if ($dest=~m|/|) {
  my ($newpath)=($dest=~m|(.*)/|);   my ($newpath)=($dest=~m|(.*)/|);
  $newpath=&relativeDest($fn,$newpath,$uname);   ($newpath,$error)=&relativeDest($fn,$newpath,$uname);
  if (! -d "$newpath") {   if (! -d "$newpath") {
     $request->print('<p><span class="LC_warning">'      $request->print('<p><span class="LC_warning">'
                            .&mt("You have requested to create file in directory [_1] which doesn't exist. The requested directory path has been removed from the requested file name."                             .&mt("You have requested to create file in directory [_1] which doesn't exist. The requested directory path has been removed from the requested file name."
Line 384  sub cleanDest { Line 385  sub cleanDest {
                         .'</span></p>'                          .'</span></p>'
         );          );
     }      }
     return $dest;      return ($dest,$error);
 }  }
   
 sub relativeDest {  sub relativeDest {
     my ($fn,$newfilename,$uname)=@_;      my ($fn,$newfilename,$uname)=@_;
       my $error = '';
     if ($newfilename=~/^\//) {      if ($newfilename=~/^\//) {
 # absolute, simply add path  # absolute, simply add path
  $newfilename='/home/'.$uname.'/public_html/';   $newfilename='/home/'.$uname.'/public_html/';
Line 401  sub relativeDest { Line 403  sub relativeDest {
     while ($newfilename=~m:/\.\./:) {      while ($newfilename=~m:/\.\./:) {
  $newfilename=~ s:/[^/]+/\.\./:/:g; #remove dir/..   $newfilename=~ s:/[^/]+/\.\./:/:g; #remove dir/..
     }      }
     return $newfilename;      if ($newfilename =~ m{^/home/($match_username)/(?:public\_html|priv)/}) {
           my $otheruname = $1;
           unless ($otheruname eq $uname) {
               my ($authorname,$authordom)=
                   &Apache::loncacc::constructaccess($newfilename,$env{'request.role.domain'});
               unless (($authorname eq $otheruname) && ($authordom ne '')) {
                   my $otherdir = &display($newfilename);
                   $error = &mt('Access denied to [_1]',$otherdir);
               }
           }
       }
       return ($newfilename,$error);
 }  }
   
 =pod  =pod
Line 936  sub phaseone { Line 949  sub phaseone {
       
     my $doingdir=0;      my $doingdir=0;
     if ($env{'form.action'} eq 'newdir') { $doingdir=1; }      if ($env{'form.action'} eq 'newdir') { $doingdir=1; }
     my $newfilename=&cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname);      my ($newfilename,$error) = 
     $newfilename=&relativeDest($fn,$newfilename,$uname);          &cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname);
       unless ($error) {
           ($newfilename,$error)=&relativeDest($fn,$newfilename,$uname);
       }
       if ($error) {
           my $dirlist;
           if ($fn=~m{^(.*/)[^/]+$}) {
               $dirlist=$1;
           } else {
               $dirlist=$fn; 
           }
           $r->print('<div class="LC_error">'.$error.'</div>'.
                     '<h3><a href="'.&url($dirlist).'">'.&mt('Return to Directory').
                     '</a></h3>');
           return;
       }
     $r->print('<form action="/adm/cfile" method="post">'.      $r->print('<form action="/adm/cfile" method="post">'.
       '<input type="hidden" name="qualifiedfilename" value="'.$fn.'" />'.        '<input type="hidden" name="qualifiedfilename" value="'.$fn.'" />'.
       '<input type="hidden" name="phase" value="two" />'.        '<input type="hidden" name="phase" value="two" />'.

Removed from v.1.105  
changed lines
  Added in v.1.106


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>