--- loncom/publisher/lonupload.pm	2013/06/04 22:20:16	1.62
+++ loncom/publisher/lonupload.pm	2019/03/06 03:39:54	1.70
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to upload files into construction space
 #
-# $Id: lonupload.pm,v 1.62 2013/06/04 22:20:16 raeburn Exp $
+# $Id: lonupload.pm,v 1.70 2019/03/06 03:39:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -130,7 +130,7 @@ use Apache::lonnet;
 use HTML::Entities();
 use Apache::lonlocal;
 use Apache::lonnet;
-use LONCAPA();
+use LONCAPA qw(:DEFAULT :match);
 
 my $DEBUG=0;
 
@@ -150,8 +150,12 @@ sub upfile_store {
     
     chomp($env{'form.upfile'});
   
-    my $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}.
-		  '_upload_'.$fname.'_'.time.'_'.$$;
+    my $datatoken;
+    if (($env{'user.name'} =~ /^$match_username$/) && ($env{'user.domain'} =~ /^$match_domain$/)) {
+        $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}.
+                   '_upload_'.$fname.'_'.time.'_'.$$;
+    }
+    return if ($datatoken eq '');
     {
        my $fh=Apache::File->new('>'.$r->dir_config('lonDaemons').
                                    '/tmp/'.$datatoken.'.tmp');
@@ -161,7 +165,7 @@ sub upfile_store {
 }
 
 sub phaseone {
-    my ($r,$fn,$mode)=@_;
+    my ($r,$fn,$mode,$uname,$udom)=@_;
     my $action = '/adm/upload';
     if ($mode eq 'testbank') {
         $action = '/adm/testbank';
@@ -172,8 +176,10 @@ sub phaseone {
     # Check for file to be uploaded
     $env{'form.upfile.filename'}=~s/\\/\//g;
     $env{'form.upfile.filename'}=~s/^.*\/([^\/]+)$/$1/;
+    $env{'form.upfile.filename'}=~s/(\s+$|^\s+)//g;
     if (!$env{'form.upfile.filename'}) {
-        $r->print('<p class="LC_warning">'.&mt('No upload file specified.').'</p>');
+        $r->print('<p class="LC_warning">'.&mt('No upload file specified.').'</p>'.
+                  &earlyout($fn,$uname,$udom));
         return;
     }
 
@@ -187,8 +193,36 @@ sub phaseone {
         $r->print('<p class="LC_warning">'.&mt('Illegal filename.').'</p>');
         return;
     }
+    # Check if quota exceeded
+    my $filesize = length($env{'form.upfile'});
+    if (!$filesize) {
+        $r->print('<p class="LC_warning">'.
+                  &mt('Unable to upload [_1]. (size = [_2] bytes)',
+                      '<span class="LC_filename">'.$env{'form.upfile.filename'}.'</span>',
+                      $filesize).'<br />'.
+                  &mt('Either the file you attempted to upload was empty, or your web browser was unable to read its contents.').'<br />'.
+                  '</p>'.
+                  &earlyout($fn,$uname,$udom));
+        return;
+    }
+    $filesize = int($filesize/1000); #expressed in kb
+    my $output = &Apache::loncommon::excess_filesize_warning($uname,$udom,'author',
+                                                             $env{'form.upfile.filename'},$filesize,'upload');
+    if ($output) {
+        $r->print($output.&earlyout($fn,$uname,$udom));
+        return;
+    }
+
 # Split part that I can change from the part that I cannot change
     my ($fn1,$fn2)=($fn=~/^(\/priv\/[^\/]+\/[^\/]+\/)(.*)$/);
+# Check for pattern: .number.extension which is reserved for LON-CAPA versioning. 
+# Check for disallowed characters: #?&%:<>`|, and remove
+    if ($fn2 ne '') {
+        ($fn2,my $warning) = &check_filename($fn2);
+        if ($warning ne '') {
+            $r->print($warning);
+        }
+    }
     # Display additional options for upload
     # and upload button
     $r->print(
@@ -256,9 +290,12 @@ sub phasetwo {
 	my $base = &File::Basename::basename($fn);
 	my $path = &File::Basename::dirname($fn);
 	$base    = &HTML::Entities::encode($base,'<>&"');
-	my $url  = $path."/".$base; 
+	my $url  = $path."/".$base;
 	&Debug($r, "URL is now ".$url);
-	my $datatoken=$env{'form.datatoken'};
+	my $datatoken;
+        if ($env{'form.datatoken'} =~ /^$match_username\_$match_domain\_upload_\w*_\d+_\d+$/) {
+            $datatoken = $env{'form.datatoken'};
+        }
 	if (($fn) && ($datatoken)) {
             if ($env{'form.cancel'}) {
                 my $source=$r->dir_config('lonDaemons').'/tmp/'.$datatoken.'.tmp';
@@ -372,7 +409,7 @@ sub check_extension {
                         if ($pathchg) {
                             if ($mode eq 'testbank') {
                                 $returnflag = 'embedded';
-                                $result .=  '<p>'.&mt('Or [_1]continue[_2] the testbank import without modifying the references(s).','<a href="javascript:document.testbankForm.submit();">','</a>').'</p>';
+                                $result .=  '<p>'.&mt('Or [_1]continue[_2] the testbank import without modifying the reference(s).','<a href="javascript:document.testbankForm.submit();">','</a>').'</p>';
                             }
                         }
                     }
@@ -393,6 +430,47 @@ sub check_extension {
     return ($result,$returnflag);
 }
 
+sub check_filename {
+    my ($fname) = @_;
+    my $warning;
+    if ($fname =~/[#\?&%":<>`|]/) {
+        $fname =~s/[#\?&%":<>`|]//g;
+        $warning .= '<p class="LC_warning">'
+                   .&mt('Removed one or more disallowed characters from filename')
+                   .'</p>';
+    }
+    if ($fname=~ /\.(\d+)\.(\w+)$/) {
+        my $num = $1;
+        $warning .= '<p class="LC_warning">'
+                   .&mt('Bad filename [_1]','<span class="LC_filename">'.$fname.'</span>')
+                   .'<br />'
+                   .&mt('[_1](name).(number).(extension)[_2] not allowed.','<tt>','</tt>')
+                   .'<br />'
+                   .&mt('Replacing the [_1].number.[_2] with [_1]_letter.[_2] in requested filename.','<tt>','</tt>')
+                   .'</p>';
+        if ($num eq '0') {
+            $fname =~ s/\.(\d+)(\.\w+)$/_A$2/;
+        } else {
+            my $letts = '';
+            my %digletter = reverse &Apache::lonnet::letter_to_digits();
+            if ($num >= 100) {
+                $num = substr($num,-2);
+            }
+            foreach my $digit (split('',$num)) {
+                $letts .= $digletter{$digit};
+            }
+            $fname =~ s/\.(\d+)(\.\w+)$/_$letts$2/;
+        }
+    }
+    if ($fname =~/___/) {
+        $fname =~s/_+/_/g;
+        $warning .= '<p class="LC_warning">'
+                    .&mt('Changed ___ to a single _ in filename')
+                    .'</p>';
+    }
+    return ($fname,$warning);
+}
+
 sub phasethree {
     my ($r,$fn,$uname,$udom,$mode) = @_;
 
@@ -406,6 +484,8 @@ sub phasethree {
     my $dir_root = $r->dir_config('lonDocRoot').$url_root;
     my $path = &File::Basename::dirname($fn);
     $path =~ s{^\Q$url_root\E}{};
+    my $dirpath = $url_root.$path.'/';
+    $dirpath=~s{/+}{/}g;
     my $filename = &HTML::Entities::encode($env{'form.filename'},'<>&"');
     my $state = &embedded_form_elems('modify_orightml',$filename,$mode).
                 '<input type="hidden" name="phase" value="four" />';
@@ -416,7 +496,7 @@ sub phasethree {
     if ($mode ne 'imsimport' && $mode ne 'testbank') {
         $result .= '<br /><h3><a href="'.$fn.'">'.
                   &mt('View main file').'</a></h3>'.
-                  '<h3><a href="'.$url_root.$path.'">'.
+                  '<h3><a href="'.$dirpath.'">'.
                   &mt('Back to Directory').'</a></h3><br />';
     }
     return ($result,$returnflag);
@@ -445,29 +525,56 @@ sub phasefour {
     my $dir_root = $r->dir_config('lonDocRoot').$url_root;
     my $path = &File::Basename::dirname($fn);
     $path =~ s{^\Q$url_root\E}{};
+    my $dirpath = $url_root.$path.'/';
+    $dirpath=~s{/+}{/}g;
     my $outcome = 
         &Apache::loncommon::modify_html_refs($mode,$path,$uname,$udom,$dir_root);
     $result .= $outcome;
     if ($mode ne 'imsimport' && $mode ne 'testbank') {
         $result .= '<br /><h3><a href="'.$fn.'">'.
                   &mt('View main file').'</a></h3>'.
-                  '<h3><a href="'.$url_root.$path.'">'.
+                  '<h3><a href="'.$dirpath.'">'.
                   &mt('Back to Directory').'</a></h3><br />';
     }
     return $result;
 }
 
+sub earlyout {
+    my ($fn,$uname,$udom) = @_;
+    if ($fn =~ m{^(/priv/$udom/$uname(?:.*)/)[^/]*}) {
+        return &Apache::lonhtmlcommon::actionbox(
+               ['<a href="'.$1.'">'.&mt('Return to Directory').'</a>']);
+    }
+    return;
+}
+
 # ---------------------------------------------------------------- Main Handler
 sub handler {
 
     my $r=shift;
     my $javascript = '';
-    my $fn=$env{'form.filename'};
+    my $fn;
+    my $warning;
 
     if ($env{'form.filename1'}) {
-       $fn=$env{'form.filename1'}.$env{'form.filename2'};
+        my $fn1 = $env{'form.filename1'};
+        my $fn2 = $env{'form.filename2'};
+        $fn2 =~ s/(\s+$|^\s+)//g;
+        $fn2 =~ s/\/+/\//g;
+        ($fn2,$warning) = &check_filename($fn2);
+        $fn = $fn1.$fn2;
+    } else {
+        $fn = $env{'form.filename'};
     }
     $fn=~s/\/+/\//g;
+    if ($fn =~ m{/\.\./}) {
+        $warning .= '<p class="LC_warning">'
+                   .&mt('Path modified as a result of one or more instances of /../')
+                   .'</p>';
+        while ($fn =~ m{/\.\./}) {
+            $fn =~ s{/[^/]+/\.\./}{/}g;
+        }
+    }
 
     unless ($fn) {
         $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}.
@@ -478,8 +585,8 @@ sub handler {
     my ($uname,$udom)=&Apache::lonnet::constructaccess($fn);
 
     unless (($uname) && ($udom)) {
-        $r->log_reason($uname.' at '.$udom.
-                       ' trying to publish file '.$env{'form.filename'}.
+        $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}.
+                       ' trying to upload file '.$fn.
                        ' - not authorized',
                        $r->filename);
         return HTTP_NOT_ACCEPTABLE;
@@ -534,6 +641,9 @@ ENDJS
                  .'</p>'
         );
     }
+    if ($warning) {
+        $r->print($warning);
+    }
     if ($env{'form.phase'} eq 'four') {
         my $output = &phasefour($r,$fn,$uname,$udom,'author');
         $r->print($output);
@@ -544,11 +654,11 @@ ENDJS
 	my ($output,$returnflag) = &phasetwo($r,$fn);
         $r->print($output);
     } else {
-	&phaseone($r,$fn);
+	&phaseone($r,$fn,undef,$uname,$udom);
     }
 
     $r->print(&Apache::loncommon::end_page());
-    return OK;  
+    return OK;
 }
 
 1;