PDA

View Full Version : File Upload Bug in all version of Open-Realty. FIX INCLUDED



greengiant
11-07-2003, 12:19 AM
In the include/main.php look for the handleUploadfunction.

then arround line 1126 (in 1.1.4) look for

if (is_uploaded_file($HTTP_POST_FILES['userfile']['tm p_name']))
{
$realname = strtolower($HTTP_POST_FILES['userfile']['name']);
$filename = $HTTP_POST_FILES['userfile']['tmp_name'];

change it to


if (is_uploaded_file($HTTP_POST_FILES['userfile']['tm p_name']))
{
$badchararray = array(" ","'","$","&","%");
$realname = str_replace($badchararray, "", $HTTP_POST_FILES['userfile']['name']);
$realname = stripslashes(strtolower($realname));
$filename = $HTTP_POST_FILES['userfile']['tmp_name'];

Anonymous
11-13-2003, 05:44 PM
Removed the old code and pasted new code in....

Started to get a parse error!!

Is there something else I need to do?

Thanks.....

CoeWeLe
11-13-2003, 06:50 PM
I pasted the fix too, no errors here. What exactly are the 2 extra lines used for?

Me wanna learn :lol:

Anonymous
11-13-2003, 09:27 PM
Works without fix, but parsing error with new code:

what was this designed to fix?

gwmbox
11-14-2003, 08:05 AM
Have to agree with 'spin' and others it was working fine before I used the new code, new code gets error, but I just changed it back and all is working fine again - I guess its the old rule of 'if it aint broke don't fix it' :P

awddesign
11-14-2003, 09:41 AM
Hi

the new two lines of code:

$badchararray = array("-","'");
$realname = str_replace($badchararray, "", $HTTP_POST_FILES['userfile']['name']);

If you read the 1st line it must be if there is any bad carictors in
the up load code to file, like

My pic_2Mn.gif or My pic_2Mn.jpg

Also spaces in the code when you upload it the system does not say
bad file etc etc

I think

greengiant
11-18-2003, 07:47 PM
I modified teh fix in my origional post to correct some more bad characters.

Anonymous
11-19-2003, 02:23 PM
I keep getting this error. It is only a problem with the listings, not the agents. It seems to be centered on the 1190s of the main.php file. I chmod'd the image directories, and I included the GD fix mentioned earlier (where the thumbnails get screwy). I am pulling my hair out. Cany anyone help? thanks


Warning: move_uploaded_file(/home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg): failed to open stream: Permission denied in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1198

Warning: move_uploaded_file(): Unable to move '/tmp/phpQWct06' to '/home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg' in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1198

Warning: filesize(): Stat failed for /home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg (errno=2 - No such file or directory) in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1199

Warning: unlink(/home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg): No such file or directory in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1203
Can't delete the file!

the_sandking
11-19-2003, 02:31 PM
I keep getting this error. It is only a problem with the listings, not the agents. It seems to be centered on the 1190s of the main.php file. I chmod'd the image directories, and I included the GD fix mentioned earlier (where the thumbnails get screwy). I am pulling my hair out. Cany anyone help? thanks


Warning: move_uploaded_file(/home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg): failed to open stream: Permission denied in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1198

Warning: move_uploaded_file(): Unable to move '/tmp/phpQWct06' to '/home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg' in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1198

Warning: filesize(): Stat failed for /home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg (errno=2 - No such file or directory) in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1199

Warning: unlink(/home/optimize/public_html/open-realty114/open-realty//images/listing_photos/6_2849626.jpg): No such file or directory in /home/optimize/public_html/open-realty114/open-realty/include/main.php on line 1203
Can't delete the file!

Move and delete (unlink) are very picky about permissions and ownership.
the errors above tell the story though....


alty114/open-realty//images/lis

The 2 "//" that appear in the paths for the errors you provided lead me to believe the path is not correct somewhere in your 'common.php' probably something like

$config['somevar'] ='/usr/path/more/path/' <--- drop trailing slash

Anonymous
11-19-2003, 03:39 PM
I've been having other problems too that I should submit. My search function runs but returns nothing, and no errors.

I changed the GD spec, but my thumbnails for Agents still look like shit.

It seemed like it all was working until I turned on frontpage extensions. I wonder if FP autoupdated a critical file or something. I might just try a full re-install as it is just a test site anyhow. But thanks. I also don't want to choke this thread as my comments prolly belong in "support" thanks!

gwmbox
11-21-2003, 01:51 AM
I've been having other problems too that I should submit. My search function runs but returns nothing, and no errors.

I changed the GD spec, but my thumbnails for Agents still look like shit.

It seemed like it all was working until I turned on frontpage extensions. I wonder if FP autoupdated a critical file or something. I might just try a full re-install as it is just a test site anyhow. But thanks. I also don't want to choke this thread as my comments prolly belong in "support" thanks!

:lol: :lol: :lol: :lol: :lol: :lol: Sorry I have to laugh here - Frontpage always screws with your code - just makes me wonder why people try and use it when using anything else than html files (such as php files), but even html files get screwed up, ever had a look at the source code of even a html before using FP and then after making one or two changes and a save, then see what the source code looks like then - it really screws it up.

I have never used FP extensions myself - never been game to, just using the editor once (just to see - curiosity - ever heard of curiosity killed the cat - well for FP it should be curiosity will kill your website) was enough to turn me away for life - and I suspect FP extensions will do the same as well - that is - auto kill a website.

Hey if you like FP that's fine, personal choice, but no complaining to anyone if it screws up your pages. If you have to use WYSIWYG editors try Dreamweaver - yeah I know there are others - but thats another debate not for these forums :).

Hey just my opinion and advice - take it or leave it :)

Greg

galaxy
11-30-2003, 03:11 AM
New patch works fine, but It seems I have an another bug related to the upload function :

upload a pic, and thumb creation is ok, but if I edit my listing and go to image section, modify something like a txt description (no pic new upload), and then click on "update", there is an error and I receive as admin an email saying :

81.248.194.229 -- November 30, 2003, 12:18:27 am -- INSERT INTO default_activityLog (log_date, user, action, ip_address) VALUES ('2003-11-30 00:18:27', '2', 'Mise ŕ jour d'image dutilisateur 2_m35.jpg', '81.248.194.229')

The default_listingsImages table is truly updated, and it seems that OR can't update the activity logs table.

Somebody noticed this ?

Thanks

awddesign
11-30-2003, 03:46 AM
hi

I am not a very good code reader but


if (is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name']))
{
$badchararray = array(" ","'","$","&amp;","%");
$realname = str_replace($badchararray, "", $HTTP_POST_FILES['userfile']['name']);
$realname = stripslashes(strtolower($realname));
$filename = $HTTP_POST_FILES['userfile']['tmp_name'];

should have the "_" also on the

$badchararray = array(" ","'","$","&amp;","%");

so it should read

$badchararray = array(" ","'","_","$","&amp;","%");

as an image like this

'Mise ŕ jour d'image dutilisateur 2_m35.jpg'

plus it's emty spaces can get read also from the $badchararray

jast a thought.

galaxy
11-30-2003, 05:02 AM
Thanks for your answer.
I just fixed it. it was the French translated message witch included the ' character in the word " d'image ". I deleted it and all works fine.

Is it a way to include the character ' inside the translation variables content ? We use it very often in french language :)

dev2761
11-30-2003, 05:28 AM
most of the time just escaping it does the trick. (that is put the backslash \' ,AltGr + 8 before the character creating the problem)