diff --git a/library/ajax/change_tor_status.php b/library/ajax/change_tor_status.php index 23460ac8b..b90cf476b 100644 --- a/library/ajax/change_tor_status.php +++ b/library/ajax/change_tor_status.php @@ -13,13 +13,15 @@ if (!defined('IN_AJAX')) { global $userdata, $bb_cfg, $lang; -if (!isset($this->request['attach_id'])) { +if (!$attach_id = (int)$this->request['attach_id']) { $this->ajax_die($lang['EMPTY_ATTACH_ID']); } -$attach_id = (int)$this->request['attach_id']; -$mode = (string)$this->request['mode']; +if (!$mode = (string)$this->request['mode']) { + $this->ajax_die('invalid mode (empty)'); +} +$comment = false; if ($bb_cfg['tor_comment']) { $comment = (string)$this->request['comment']; } @@ -117,6 +119,9 @@ switch ($mode) { send_pm($tor['checked_user_id'], $subject, $message, $userdata['user_id']); \TorrentPier\Sessions::cache_rm_user_sessions($tor['checked_user_id']); break; + + default: + $this->ajax_die('Invalid mode: ' . $mode); } $this->response['attach_id'] = $attach_id; diff --git a/library/attach_mod/posting_attachments.php b/library/attach_mod/posting_attachments.php index e65306ff3..e175ac7fa 100644 --- a/library/attach_mod/posting_attachments.php +++ b/library/attach_mod/posting_attachments.php @@ -11,11 +11,9 @@ if (!defined('BB_ROOT')) { die(basename(__FILE__)); } -define('FILENAME_PREFIX', false); +define('FILENAME_PREFIX', true); define('FILENAME_PREFIX_LENGTH', 6); -define('FILENAME_MAX_LENGTH', 180); -define('FILENAME_CRYPTIC', false); -define('FILENAME_CRYPTIC_LENGTH', 64); +define('FILENAME_MAX_LENGTH', 128); /** * Entry Point diff --git a/src/Legacy/Attach.php b/src/Legacy/Attach.php index d0dec2298..264916ee5 100644 --- a/src/Legacy/Attach.php +++ b/src/Legacy/Attach.php @@ -845,41 +845,34 @@ class Attach //bt end // Upload File - $this->thumbnail = 0; if (!$error) { - // // Prepare Values $this->filetime = TIMENOW; - $this->filename = $r_file; // physical filename $this->attach_filename = $this->filename; //bt - if (FILENAME_CRYPTIC) { - $this->attach_filename = make_rand_str(FILENAME_CRYPTIC_LENGTH); - } else { - $this->attach_filename = html_entity_decode(trim(stripslashes($this->attach_filename))); - $this->attach_filename = pathinfo($this->attach_filename, PATHINFO_FILENAME); - $this->attach_filename = str_replace([' ', '-'], '_', $this->attach_filename); - $this->attach_filename = str_replace('__', '_', $this->attach_filename); - $this->attach_filename = str_replace([',', '.', '!', '?', 'ь', 'Ь', 'ц', 'Ц', 'д', 'Д', ';', ':', '@', "'", '"', '&'], ['', '', '', '', 'ue', 'ue', 'oe', 'oe', 'ae', 'ae', '', '', '', '', '', 'and'], $this->attach_filename); - $this->attach_filename = str_replace(['$', 'Я', '>', '<', '§', '%', '=', '/', '(', ')', '#', '*', '+', "\\", '{', '}', '[', ']'], ['dollar', 'ss', 'greater', 'lower', 'paragraph', 'percent', 'equal', '', '', '', '', '', '', '', '', '', '', ''], $this->attach_filename); - // Remove non-latin characters - $this->attach_filename = preg_replace('#([\xC2\xC3])([\x80-\xBF])#', 'chr(ord(\'$1\')<<6&0xC0|ord(\'$2\')&0x3F)', $this->attach_filename); - $this->attach_filename = rawurlencode($this->attach_filename); - $this->attach_filename = preg_replace("/(%[0-9A-F]{1,2})/i", '', $this->attach_filename); - $this->attach_filename = trim($this->attach_filename . '_' . make_rand_str(13)); - } + $this->attach_filename = html_entity_decode(trim(stripslashes($this->attach_filename))); + $this->attach_filename = pathinfo($this->attach_filename, PATHINFO_FILENAME); + $this->attach_filename = str_replace([' ', '-'], '_', $this->attach_filename); + $this->attach_filename = str_replace('__', '_', $this->attach_filename); + $this->attach_filename = str_replace([',', '.', '!', '?', 'ь', 'Ь', 'ц', 'Ц', 'д', 'Д', ';', ':', '@', "'", '"', '&'], ['', '', '', '', 'ue', 'ue', 'oe', 'oe', 'ae', 'ae', '', '', '', '', '', 'and'], $this->attach_filename); + $this->attach_filename = str_replace(['$', 'Я', '>', '<', '§', '%', '=', '/', '(', ')', '#', '*', '+', "\\", '{', '}', '[', ']'], ['dollar', 'ss', 'greater', 'lower', 'paragraph', 'percent', 'equal', '', '', '', '', '', '', '', '', '', '', ''], $this->attach_filename); + // Remove non-latin characters + $this->attach_filename = preg_replace('#([\xC2\xC3])([\x80-\xBF])#', 'chr(ord(\'$1\')<<6&0xC0|ord(\'$2\')&0x3F)', $this->attach_filename); + $this->attach_filename = rawurlencode($this->attach_filename); + $this->attach_filename = preg_replace("/(%[0-9A-F]{1,2})/i", '', $this->attach_filename); + $this->attach_filename = trim($this->attach_filename . '_' . make_rand_str(13)); $this->attach_filename = str_replace(['&', '&', ' '], '_', $this->attach_filename); $this->attach_filename = str_replace('php', '_php_', $this->attach_filename); - $this->attach_filename = substr(trim($this->attach_filename), 0, FILENAME_MAX_LENGTH); + $new_physical_filename = null; for ($i = 0, $max_try = 5; $i <= $max_try; $i++) { - $fn_prefix = make_rand_str(FILENAME_PREFIX_LENGTH) . '_'; + $fn_prefix = FILENAME_PREFIX ? (make_rand_str(FILENAME_PREFIX_LENGTH) . '_') : ''; $new_physical_filename = clean_filename($fn_prefix . $this->attach_filename); if (!physical_filename_already_stored($new_physical_filename)) { @@ -888,8 +881,11 @@ class Attach if ($i === $max_try) { bb_die('Could not create filename for attachment'); } + } - $this->attach_filename = $new_physical_filename; + $this->attach_filename = $new_physical_filename; + if (!empty($this->attach_filename)) { + $this->attach_filename = substr(trim($this->attach_filename), 0, FILENAME_MAX_LENGTH); } // Do we have to create a thumbnail ?