--- loncom/publisher/lonupload.pm	2011/10/31 01:28:47	1.56
+++ loncom/publisher/lonupload.pm	2019/03/06 03:39:54	1.70
@@ -1,8 +1,7 @@
-
 # The LearningOnline Network with CAPA
 # Handler to upload files into construction space
 #
-# $Id: lonupload.pm,v 1.56 2011/10/31 01:28:47 raeburn Exp $
+# $Id: lonupload.pm,v 1.70 2019/03/06 03:39:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -126,13 +125,12 @@ use Apache::File;
 use File::Copy;
 use File::Basename;
 use Apache::Constants qw(:common :http :methods);
-use Apache::loncacc;
 use Apache::loncommon();
 use Apache::lonnet;
 use HTML::Entities();
 use Apache::lonlocal;
 use Apache::lonnet;
-use LONCAPA();
+use LONCAPA qw(:DEFAULT :match);
 
 my $DEBUG=0;
 
@@ -152,8 +150,12 @@ sub upfile_store {
     
     chomp($env{'form.upfile'});
   
-    my $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}.
-		  '_upload_'.$fname.'_'.time.'_'.$$;
+    my $datatoken;
+    if (($env{'user.name'} =~ /^$match_username$/) && ($env{'user.domain'} =~ /^$match_domain$/)) {
+        $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}.
+                   '_upload_'.$fname.'_'.time.'_'.$$;
+    }
+    return if ($datatoken eq '');
     {
        my $fh=Apache::File->new('>'.$r->dir_config('lonDaemons').
                                    '/tmp/'.$datatoken.'.tmp');
@@ -163,7 +165,7 @@ sub upfile_store {
 }
 
 sub phaseone {
-    my ($r,$fn,$uname,$udom,$mode)=@_;
+    my ($r,$fn,$mode,$uname,$udom)=@_;
     my $action = '/adm/upload';
     if ($mode eq 'testbank') {
         $action = '/adm/testbank';
@@ -174,8 +176,10 @@ sub phaseone {
     # Check for file to be uploaded
     $env{'form.upfile.filename'}=~s/\\/\//g;
     $env{'form.upfile.filename'}=~s/^.*\/([^\/]+)$/$1/;
+    $env{'form.upfile.filename'}=~s/(\s+$|^\s+)//g;
     if (!$env{'form.upfile.filename'}) {
-        $r->print('<p class="LC_warning">'.&mt('No upload file specified.').'</p>');
+        $r->print('<p class="LC_warning">'.&mt('No upload file specified.').'</p>'.
+                  &earlyout($fn,$uname,$udom));
         return;
     }
 
@@ -189,8 +193,36 @@ sub phaseone {
         $r->print('<p class="LC_warning">'.&mt('Illegal filename.').'</p>');
         return;
     }
+    # Check if quota exceeded
+    my $filesize = length($env{'form.upfile'});
+    if (!$filesize) {
+        $r->print('<p class="LC_warning">'.
+                  &mt('Unable to upload [_1]. (size = [_2] bytes)',
+                      '<span class="LC_filename">'.$env{'form.upfile.filename'}.'</span>',
+                      $filesize).'<br />'.
+                  &mt('Either the file you attempted to upload was empty, or your web browser was unable to read its contents.').'<br />'.
+                  '</p>'.
+                  &earlyout($fn,$uname,$udom));
+        return;
+    }
+    $filesize = int($filesize/1000); #expressed in kb
+    my $output = &Apache::loncommon::excess_filesize_warning($uname,$udom,'author',
+                                                             $env{'form.upfile.filename'},$filesize,'upload');
+    if ($output) {
+        $r->print($output.&earlyout($fn,$uname,$udom));
+        return;
+    }
+
 # Split part that I can change from the part that I cannot change
     my ($fn1,$fn2)=($fn=~/^(\/priv\/[^\/]+\/[^\/]+\/)(.*)$/);
+# Check for pattern: .number.extension which is reserved for LON-CAPA versioning. 
+# Check for disallowed characters: #?&%:<>`|, and remove
+    if ($fn2 ne '') {
+        ($fn2,my $warning) = &check_filename($fn2);
+        if ($warning ne '') {
+            $r->print($warning);
+        }
+    }
     # Display additional options for upload
     # and upload button
     $r->print(
@@ -240,7 +272,7 @@ sub phaseone {
 }
 
 sub phasetwo {
-    my ($r,$fn,$uname,$udom,$mode)=@_;
+    my ($r,$fn,$mode)=@_;
 
     my $output;
     my $action = '/adm/upload';
@@ -252,15 +284,18 @@ sub phasetwo {
     }
     $fn=~s/\/+/\//g;
     if ($fn) {
-	my $target='/home/httpd/html/'.$fn;
+	my $target= $r->dir_config('lonDocRoot').'/'.$fn;
 	&Debug($r, "target -> ".$target);
 #     target is the full filesystem path of the destination file.
 	my $base = &File::Basename::basename($fn);
 	my $path = &File::Basename::dirname($fn);
 	$base    = &HTML::Entities::encode($base,'<>&"');
-	my $url  = $path."/".$base; 
+	my $url  = $path."/".$base;
 	&Debug($r, "URL is now ".$url);
-	my $datatoken=$env{'form.datatoken'};
+	my $datatoken;
+        if ($env{'form.datatoken'} =~ /^$match_username\_$match_domain\_upload_\w*_\d+_\d+$/) {
+            $datatoken = $env{'form.datatoken'};
+        }
 	if (($fn) && ($datatoken)) {
             if ($env{'form.cancel'}) {
                 my $source=$r->dir_config('lonDaemons').'/tmp/'.$datatoken.'.tmp';
@@ -374,7 +409,7 @@ sub check_extension {
                         if ($pathchg) {
                             if ($mode eq 'testbank') {
                                 $returnflag = 'embedded';
-                                $result .=  '<p>'.&mt('Or [_1]continue[_2] the testbank import without modifying the references(s).','<a href="javascript:document.testbankForm.submit();">','</a>').'</p>';
+                                $result .=  '<p>'.&mt('Or [_1]continue[_2] the testbank import without modifying the reference(s).','<a href="javascript:document.testbankForm.submit();">','</a>').'</p>';
                             }
                         }
                     }
@@ -395,6 +430,47 @@ sub check_extension {
     return ($result,$returnflag);
 }
 
+sub check_filename {
+    my ($fname) = @_;
+    my $warning;
+    if ($fname =~/[#\?&%":<>`|]/) {
+        $fname =~s/[#\?&%":<>`|]//g;
+        $warning .= '<p class="LC_warning">'
+                   .&mt('Removed one or more disallowed characters from filename')
+                   .'</p>';
+    }
+    if ($fname=~ /\.(\d+)\.(\w+)$/) {
+        my $num = $1;
+        $warning .= '<p class="LC_warning">'
+                   .&mt('Bad filename [_1]','<span class="LC_filename">'.$fname.'</span>')
+                   .'<br />'
+                   .&mt('[_1](name).(number).(extension)[_2] not allowed.','<tt>','</tt>')
+                   .'<br />'
+                   .&mt('Replacing the [_1].number.[_2] with [_1]_letter.[_2] in requested filename.','<tt>','</tt>')
+                   .'</p>';
+        if ($num eq '0') {
+            $fname =~ s/\.(\d+)(\.\w+)$/_A$2/;
+        } else {
+            my $letts = '';
+            my %digletter = reverse &Apache::lonnet::letter_to_digits();
+            if ($num >= 100) {
+                $num = substr($num,-2);
+            }
+            foreach my $digit (split('',$num)) {
+                $letts .= $digletter{$digit};
+            }
+            $fname =~ s/\.(\d+)(\.\w+)$/_$letts$2/;
+        }
+    }
+    if ($fname =~/___/) {
+        $fname =~s/_+/_/g;
+        $warning .= '<p class="LC_warning">'
+                    .&mt('Changed ___ to a single _ in filename')
+                    .'</p>';
+    }
+    return ($fname,$warning);
+}
+
 sub phasethree {
     my ($r,$fn,$uname,$udom,$mode) = @_;
 
@@ -406,8 +482,10 @@ sub phasethree {
     }
     my $url_root = "/priv/$udom/$uname";
     my $dir_root = $r->dir_config('lonDocRoot').$url_root;
-    my $url_root = '/priv/'.$udom.'/'.$uname;
     my $path = &File::Basename::dirname($fn);
+    $path =~ s{^\Q$url_root\E}{};
+    my $dirpath = $url_root.$path.'/';
+    $dirpath=~s{/+}{/}g;
     my $filename = &HTML::Entities::encode($env{'form.filename'},'<>&"');
     my $state = &embedded_form_elems('modify_orightml',$filename,$mode).
                 '<input type="hidden" name="phase" value="four" />';
@@ -416,9 +494,9 @@ sub phasethree {
                                             $dir_root,$url_root,undef,
                                             undef,undef,$state,$action);
     if ($mode ne 'imsimport' && $mode ne 'testbank') {
-        $result .= '<br /><h3><a href="'.$url_root.$fn.'">'.
+        $result .= '<br /><h3><a href="'.$fn.'">'.
                   &mt('View main file').'</a></h3>'.
-                  '<h3><a href="'.$url_root.$path.'">'.
+                  '<h3><a href="'.$dirpath.'">'.
                   &mt('Back to Directory').'</a></h3><br />';
     }
     return ($result,$returnflag);
@@ -446,32 +524,57 @@ sub phasefour {
     my $url_root = "/priv/$udom/$uname";
     my $dir_root = $r->dir_config('lonDocRoot').$url_root;
     my $path = &File::Basename::dirname($fn);
-    $result .= &Apache::loncommon::modify_html_refs($mode,$path,
-                              $uname,$udom,$dir_root);
+    $path =~ s{^\Q$url_root\E}{};
+    my $dirpath = $url_root.$path.'/';
+    $dirpath=~s{/+}{/}g;
+    my $outcome = 
+        &Apache::loncommon::modify_html_refs($mode,$path,$uname,$udom,$dir_root);
+    $result .= $outcome;
     if ($mode ne 'imsimport' && $mode ne 'testbank') {
-        $result .= '<br /><h3><a href="'.$url_root.$fn.'">'.
+        $result .= '<br /><h3><a href="'.$fn.'">'.
                   &mt('View main file').'</a></h3>'.
-                  '<h3><a href="'.$url_root.$path.'">'.
+                  '<h3><a href="'.$dirpath.'">'.
                   &mt('Back to Directory').'</a></h3><br />';
     }
     return $result;
 }
 
+sub earlyout {
+    my ($fn,$uname,$udom) = @_;
+    if ($fn =~ m{^(/priv/$udom/$uname(?:.*)/)[^/]*}) {
+        return &Apache::lonhtmlcommon::actionbox(
+               ['<a href="'.$1.'">'.&mt('Return to Directory').'</a>']);
+    }
+    return;
+}
+
 # ---------------------------------------------------------------- Main Handler
 sub handler {
 
     my $r=shift;
-
-    my $uname;
-    my $udom;
     my $javascript = '';
-
-    my $fn=$env{'form.filename'};
+    my $fn;
+    my $warning;
 
     if ($env{'form.filename1'}) {
-       $fn=$env{'form.filename1'}.$env{'form.filename2'};
+        my $fn1 = $env{'form.filename1'};
+        my $fn2 = $env{'form.filename2'};
+        $fn2 =~ s/(\s+$|^\s+)//g;
+        $fn2 =~ s/\/+/\//g;
+        ($fn2,$warning) = &check_filename($fn2);
+        $fn = $fn1.$fn2;
+    } else {
+        $fn = $env{'form.filename'};
     }
     $fn=~s/\/+/\//g;
+    if ($fn =~ m{/\.\./}) {
+        $warning .= '<p class="LC_warning">'
+                   .&mt('Path modified as a result of one or more instances of /../')
+                   .'</p>';
+        while ($fn =~ m{/\.\./}) {
+            $fn =~ s{/[^/]+/\.\./}{/}g;
+        }
+    }
 
     unless ($fn) {
         $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}.
@@ -479,8 +582,25 @@ sub handler {
         return HTTP_NOT_FOUND;
     }
 
+    my ($uname,$udom)=&Apache::lonnet::constructaccess($fn);
+
+    unless (($uname) && ($udom)) {
+        $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}.
+                       ' trying to upload file '.$fn.
+                       ' - not authorized',
+                       $r->filename);
+        return HTTP_NOT_ACCEPTABLE;
+    }
+
+# ----------------------------------------------------------- Start page output
+
+    &Apache::loncommon::content_type($r,'text/html');
+    $r->send_http_header;
+
     unless ($env{'form.phase'} eq 'two') {
-        $javascript = qq|
+        $javascript = <<"ENDJS";
+<script type="text/javascript">
+// <![CDATA[
 function verifyForm() {
     var mode = document.fileupload.filetype.options[document.fileupload.filetype.selectedIndex].value
     if (mode == "testbank") {
@@ -494,37 +614,25 @@ function verifyForm() {
     }
     document.fileupload.submit();
 }
-	|;
-    }
-    ($uname,$udom)=&Apache::loncacc::constructaccess($fn);
-
-    unless (($uname) && ($udom)) {
-	$r->log_reason($uname.' at '.$udom.
-		       ' trying to publish file '.$env{'form.filename'}.
-		       ' - not authorized', 
-		       $r->filename); 
-	return HTTP_NOT_ACCEPTABLE;
+// ]]>
+</script>
+ENDJS
     }
-    
-# ----------------------------------------------------------- Start page output
 
-
-    &Apache::loncommon::content_type($r,'text/html');
-    $r->send_http_header;
-
-   $javascript = "<script type=\"text/javascript\">\n//<!--\n".
-	$javascript."\n// --></script>\n";
+    my $londocroot = $r->dir_config('lonDocRoot');
+    my $trailfile = $fn;
+    $trailfile =~ s{^/(priv/)}{$londocroot/$1};
 
     # Breadcrumbs
-    my $brcrum = [{'href' => &Apache::loncommon::authorspace(),
-                   'text' => 'Construction Space'},
+    my $brcrum = [{'href' => &Apache::loncommon::authorspace($fn),
+                   'text' => 'Authoring Space'},
                   {'href' => '/adm/upload',
-                   'text' => 'Upload file to Construction Space'}];
-    $r->print(&Apache::loncommon::start_page('Upload file to Construction Space',
+                   'text' => 'Upload file to Authoring Space'}];
+    $r->print(&Apache::loncommon::start_page('Upload file to Authoring Space',
                                              $javascript,
                                              {'bread_crumbs' => $brcrum,})
              .&Apache::loncommon::head_subbox(
-                &Apache::loncommon::CSTR_pageheader())
+                &Apache::loncommon::CSTR_pageheader($trailfile))
     );
   
     if (($uname ne $env{'user.name'}) || ($udom ne $env{'user.domain'})) {
@@ -533,6 +641,9 @@ function verifyForm() {
                  .'</p>'
         );
     }
+    if ($warning) {
+        $r->print($warning);
+    }
     if ($env{'form.phase'} eq 'four') {
         my $output = &phasefour($r,$fn,$uname,$udom,'author');
         $r->print($output);
@@ -540,14 +651,14 @@ function verifyForm() {
         my ($output,$rtnflag) = &phasethree($r,$fn,$uname,$udom,'author');
         $r->print($output);
     } elsif ($env{'form.phase'} eq 'two') {
-	my ($output,$returnflag) = &phasetwo($r,$fn,$uname,$udom);
+	my ($output,$returnflag) = &phasetwo($r,$fn);
         $r->print($output);
     } else {
-	&phaseone($r,$fn,$uname,$udom);
+	&phaseone($r,$fn,undef,$uname,$udom);
     }
 
     $r->print(&Apache::loncommon::end_page());
-    return OK;  
+    return OK;
 }
 
 1;