--- loncom/publisher/lonupload.pm 2010/12/26 03:09:11 1.53 +++ loncom/publisher/lonupload.pm 2019/03/06 03:39:54 1.70 @@ -1,8 +1,7 @@ - # The LearningOnline Network with CAPA # Handler to upload files into construction space # -# $Id: lonupload.pm,v 1.53 2010/12/26 03:09:11 raeburn Exp $ +# $Id: lonupload.pm,v 1.70 2019/03/06 03:39:54 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -126,13 +125,12 @@ use Apache::File; use File::Copy; use File::Basename; use Apache::Constants qw(:common :http :methods); -use Apache::loncacc; use Apache::loncommon(); use Apache::lonnet; use HTML::Entities(); use Apache::lonlocal; use Apache::lonnet; -use LONCAPA(); +use LONCAPA qw(:DEFAULT :match); my $DEBUG=0; @@ -152,8 +150,12 @@ sub upfile_store { chomp($env{'form.upfile'}); - my $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}. - '_upload_'.$fname.'_'.time.'_'.$$; + my $datatoken; + if (($env{'user.name'} =~ /^$match_username$/) && ($env{'user.domain'} =~ /^$match_domain$/)) { + $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}. + '_upload_'.$fname.'_'.time.'_'.$$; + } + return if ($datatoken eq ''); { my $fh=Apache::File->new('>'.$r->dir_config('lonDaemons'). '/tmp/'.$datatoken.'.tmp'); @@ -163,7 +165,7 @@ sub upfile_store { } sub phaseone { - my ($r,$fn,$uname,$udom,$mode)=@_; + my ($r,$fn,$mode,$uname,$udom)=@_; my $action = '/adm/upload'; if ($mode eq 'testbank') { $action = '/adm/testbank'; @@ -174,17 +176,16 @@ sub phaseone { # Check for file to be uploaded $env{'form.upfile.filename'}=~s/\\/\//g; $env{'form.upfile.filename'}=~s/^.*\/([^\/]+)$/$1/; + $env{'form.upfile.filename'}=~s/(\s+$|^\s+)//g; if (!$env{'form.upfile.filename'}) { - $r->print('

'.&mt('No upload file specified.').'

'); + $r->print('

'.&mt('No upload file specified.').'

'. + &earlyout($fn,$uname,$udom)); return; } - $fn=~s/\/[^\/]+$//; - $fn=~s/([^\/])$/$1\//; + # Append the name of the uploaded file $fn.=$env{'form.upfile.filename'}; - $fn=~s/^\///; $fn=~s/(\/)+/\//g; - # Fn is the full path to the destination filename. # Check for illegal filename &Debug($r, "Filename for upload: $fn"); @@ -192,20 +193,49 @@ sub phaseone { $r->print('

'.&mt('Illegal filename.').'

'); return; } + # Check if quota exceeded + my $filesize = length($env{'form.upfile'}); + if (!$filesize) { + $r->print('

'. + &mt('Unable to upload [_1]. (size = [_2] bytes)', + ''.$env{'form.upfile.filename'}.'', + $filesize).'
'. + &mt('Either the file you attempted to upload was empty, or your web browser was unable to read its contents.').'
'. + '

'. + &earlyout($fn,$uname,$udom)); + return; + } + $filesize = int($filesize/1000); #expressed in kb + my $output = &Apache::loncommon::excess_filesize_warning($uname,$udom,'author', + $env{'form.upfile.filename'},$filesize,'upload'); + if ($output) { + $r->print($output.&earlyout($fn,$uname,$udom)); + return; + } +# Split part that I can change from the part that I cannot change + my ($fn1,$fn2)=($fn=~/^(\/priv\/[^\/]+\/[^\/]+\/)(.*)$/); +# Check for pattern: .number.extension which is reserved for LON-CAPA versioning. +# Check for disallowed characters: #?&%:<>`|, and remove + if ($fn2 ne '') { + ($fn2,my $warning) = &check_filename($fn2); + if ($warning ne '') { + $r->print($warning); + } + } # Display additional options for upload # and upload button $r->print( '
' .'' .'' - .'' ); $r->print( &Apache::lonhtmlcommon::start_pick_box() .&Apache::lonhtmlcommon::row_title(&mt('Save uploaded file as')) - .'/priv/'.$uname.'/' - .'' + .''.$fn1.'' + .'' + .'' .&Apache::lonhtmlcommon::row_closure() .&Apache::lonhtmlcommon::row_title(&mt('File Type')) .''; @@ -418,9 +494,9 @@ sub phasethree { $dir_root,$url_root,undef, undef,undef,$state,$action); if ($mode ne 'imsimport' && $mode ne 'testbank') { - $result .= '

'. + $result .= '

'. &mt('View main file').'

'. - '

'. + '

'. &mt('Back to Directory').'


'; } return ($result,$returnflag); @@ -437,6 +513,7 @@ STATE sub phasefour { my ($r,$fn,$uname,$udom,$mode) = @_; + my $action = '/adm/upload'; if ($mode eq 'testbank') { $action = '/adm/testbank'; @@ -444,38 +521,86 @@ sub phasefour { $action = '/adm/imsimport'; } my $result; - my $dir_root = '/home/'.$uname.'/public_html'; - my $url_root = '/priv/'.$uname; + my $url_root = "/priv/$udom/$uname"; + my $dir_root = $r->dir_config('lonDocRoot').$url_root; my $path = &File::Basename::dirname($fn); - $result .= &Apache::loncommon::modify_html_refs($mode,$path, - $uname,$udom,$dir_root); + $path =~ s{^\Q$url_root\E}{}; + my $dirpath = $url_root.$path.'/'; + $dirpath=~s{/+}{/}g; + my $outcome = + &Apache::loncommon::modify_html_refs($mode,$path,$uname,$udom,$dir_root); + $result .= $outcome; if ($mode ne 'imsimport' && $mode ne 'testbank') { - $result .= '

'. + $result .= '

'. &mt('View main file').'

'. - '

'. + '

'. &mt('Back to Directory').'


'; } return $result; } +sub earlyout { + my ($fn,$uname,$udom) = @_; + if ($fn =~ m{^(/priv/$udom/$uname(?:.*)/)[^/]*}) { + return &Apache::lonhtmlcommon::actionbox( + [''.&mt('Return to Directory').'']); + } + return; +} + # ---------------------------------------------------------------- Main Handler sub handler { my $r=shift; - - my $uname; - my $udom; my $javascript = ''; -# -# phase two: re-attach user -# - if ($env{'form.uploaduname'}) { - $env{'form.filename'}='/priv/'.$env{'form.uploaduname'}.'/'. - $env{'form.filename'}; + my $fn; + my $warning; + + if ($env{'form.filename1'}) { + my $fn1 = $env{'form.filename1'}; + my $fn2 = $env{'form.filename2'}; + $fn2 =~ s/(\s+$|^\s+)//g; + $fn2 =~ s/\/+/\//g; + ($fn2,$warning) = &check_filename($fn2); + $fn = $fn1.$fn2; + } else { + $fn = $env{'form.filename'}; } + $fn=~s/\/+/\//g; + if ($fn =~ m{/\.\./}) { + $warning .= '

' + .&mt('Path modified as a result of one or more instances of /../') + .'

'; + while ($fn =~ m{/\.\./}) { + $fn =~ s{/[^/]+/\.\./}{/}g; + } + } + + unless ($fn) { + $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. + ' unspecified filename for upload', $r->filename); + return HTTP_NOT_FOUND; + } + + my ($uname,$udom)=&Apache::lonnet::constructaccess($fn); + + unless (($uname) && ($udom)) { + $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. + ' trying to upload file '.$fn. + ' - not authorized', + $r->filename); + return HTTP_NOT_ACCEPTABLE; + } + +# ----------------------------------------------------------- Start page output + + &Apache::loncommon::content_type($r,'text/html'); + $r->send_http_header; unless ($env{'form.phase'} eq 'two') { - $javascript = qq| + $javascript = <<"ENDJS"; + +ENDJS } - ($uname,$udom)= - &Apache::loncacc::constructaccess($env{'form.filename'}, - $r->dir_config('lonDefDomain')); - - unless (($uname) && ($udom)) { - $r->log_reason($uname.' at '.$udom. - ' trying to publish file '.$env{'form.filename'}. - ' - not authorized', - $r->filename); - return HTTP_NOT_ACCEPTABLE; - } - - my $fn; - if ($env{'form.filename'}) { - $fn=$env{'form.filename'}; - $fn=~s/^https?\:\/\/[^\/]+\///; - $fn=~s/^\///; - $fn=~s{(~|priv/)($LONCAPA::username_re)}{}; - $fn=~s/\/+/\//g; - } else { - $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. - ' unspecified filename for upload', $r->filename); - return HTTP_NOT_FOUND; - } - -# ----------------------------------------------------------- Start page output - - &Apache::loncommon::content_type($r,'text/html'); - $r->send_http_header; - - $javascript = "\n"; + my $londocroot = $r->dir_config('lonDocRoot'); + my $trailfile = $fn; + $trailfile =~ s{^/(priv/)}{$londocroot/$1}; # Breadcrumbs - my $brcrum = [{'href' => &Apache::loncommon::authorspace(), - 'text' => 'Construction Space'}, + my $brcrum = [{'href' => &Apache::loncommon::authorspace($fn), + 'text' => 'Authoring Space'}, {'href' => '/adm/upload', - 'text' => 'Upload file to Construction Space'}]; - $r->print(&Apache::loncommon::start_page('Upload file to Construction Space', + 'text' => 'Upload file to Authoring Space'}]; + $r->print(&Apache::loncommon::start_page('Upload file to Authoring Space', $javascript, {'bread_crumbs' => $brcrum,}) .&Apache::loncommon::head_subbox( - &Apache::loncommon::CSTR_pageheader()) + &Apache::loncommon::CSTR_pageheader($trailfile)) ); if (($uname ne $env{'user.name'}) || ($udom ne $env{'user.domain'})) { @@ -543,6 +641,9 @@ function verifyForm() { .'

' ); } + if ($warning) { + $r->print($warning); + } if ($env{'form.phase'} eq 'four') { my $output = &phasefour($r,$fn,$uname,$udom,'author'); $r->print($output); @@ -550,14 +651,14 @@ function verifyForm() { my ($output,$rtnflag) = &phasethree($r,$fn,$uname,$udom,'author'); $r->print($output); } elsif ($env{'form.phase'} eq 'two') { - my ($output,$returnflag) = &phasetwo($r,$fn,$uname,$udom); + my ($output,$returnflag) = &phasetwo($r,$fn); $r->print($output); } else { - &phaseone($r,$fn,$uname,$udom); + &phaseone($r,$fn,undef,$uname,$udom); } $r->print(&Apache::loncommon::end_page()); - return OK; + return OK; } 1;