diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b9dc7a5..cab9f5e 100755 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -12,14 +12,7 @@ If you have a good idea for improvement feel free to create a new issue with all ### Issues -Feel free to grab any open issue implement it and create a new pull request. Most issues can be found in the code and have the following structure: - -```php -/** - * @todo Orange-Management/Orange-Management#ISSUE_NUMBER [d:difficulty] - * Description for the issue - */ -``` +Feel free to grab any open issue implement it and create a new pull request. Most issues can be found in the `Project.md` file in the `Docs` repository. The issue information can be used to provide additional information such as priority, difficulty and type. For your first issue try to find a issue marked `[d:first]` or `[d:beginner]`. diff --git a/Controller/ApiController.php b/Controller/ApiController.php index 6bc3430..1004b20 100755 --- a/Controller/ApiController.php +++ b/Controller/ApiController.php @@ -84,8 +84,6 @@ final class ApiController extends Controller $ids = []; foreach ($uploads as $file) { $ids[] = $file->getId(); - - // @todo: maybe improve, this could potentially be done immediately in the createDBEntry, especially if tags replace the type? But probably we need type and tags (both are slightly different e.g. tags are public, types are for modules e.g. itemmanagement item image) // add tags if (!empty($tags = $request->getDataJson('tags'))) { foreach ($tags as $tag) { @@ -366,7 +364,8 @@ final class ApiController extends Controller // @todo: implement a security check to ensure the user is allowed to write to the file. Right now you could overwrite ANY file with a malicious $path if ($id === 0 && $media instanceof NullMedia - && \is_file(__DIR__ . '/../Files' . ($path = \urldecode($request->getData('path')))) + && \is_file($fullPath = __DIR__ . '/../Files' . ($path = \urldecode($request->getData('path')))) + && \stripos(FileUtils::absolute(__DIR__ . '/../Files/'), FileUtils::absolute($fullPath)) === 0 ) { $name = \explode('.', \basename($path)); @@ -635,6 +634,8 @@ final class ApiController extends Controller $view = new View($this->app->l11nManager, $request, $response); $view->setData('media', $media); + $response->endAllOutputBuffering(); // for large files + if (($type = $request->getData('type')) === null) { $view->setTemplate('/Modules/Media/Theme/Api/render'); } elseif ($type === 'html') { diff --git a/Models/UploadFile.php b/Models/UploadFile.php index 3fec22b..d054389 100755 --- a/Models/UploadFile.php +++ b/Models/UploadFile.php @@ -159,7 +159,6 @@ class UploadFile if (!$this->preserveFileName || \is_file($path . '/' . $result[$key]['filename'])) { try { - // @todo: split filename to tmp_name and extension for this function call! $result[$key]['filename'] = $this->createFileName($path, $f['tmp_name'], $extension); } catch (\Exception $e) { $result[$key]['filename'] = $f['name']; diff --git a/Theme/Api/render.tpl.php b/Theme/Api/render.tpl.php index 5227072..9950e67 100755 --- a/Theme/Api/render.tpl.php +++ b/Theme/Api/render.tpl.php @@ -12,13 +12,8 @@ */ declare(strict_types=1); -// @todo: is this chunked/streamed output or bulk output -// if it is streamed it is not working because of ob_* in the actual response rendering - $media = $this->getData('media'); -$t = ($media->isAbsolute ? '' : __DIR__ . '/../../../../') . $media->getPath(); - $fp = \fopen(($media->isAbsolute ? '' : __DIR__ . '/../../../../') . $media->getPath(), 'r'); \fpassthru($fp); \fclose($fp); diff --git a/tests/Controller/test/path/created.md b/tests/Controller/test/path/created.md new file mode 100644 index 0000000..8773f39 --- /dev/null +++ b/tests/Controller/test/path/created.md @@ -0,0 +1 @@ +file content \ No newline at end of file