Apply locale-independent basename() to attachment filenames. New function added: utf8_basename(). (Bug #43335 - Patch by ocean=Yohsuke)

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9905 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/docs/CHANGELOG.html

@@ -184,6 +184,7 @@
 		<li>[Fix] Min/max characters per posts also affects polls option (Bug #47295 - Patch by nickvergessen)</li>
 		<li>[Fix] Correctly log action when users request to join a group (Bug #37585 - Patch by nickvergessen)</li>
 		<li>[Fix] Do not try to create thumbnails for images we cannot open properly. (Bug #48695)</li>
+		<li>[Fix] Apply locale-independent basename() to attachment filenames. New function added: utf8_basename(). (Bug #43335 - Patch by ocean=Yohsuke)</li>
 		<li>[Change] Change the data format of the default file ACM to be more secure from tampering and have better performance.</li>
 		<li>[Change] Add index on log_time to the log table to prevent slowdown on boards with many log entries. (Bug #44665 - Patch by bantu)</li>
 		<li>[Change] Template engine now permits to a limited extent variable includes.</li>

phpBB/download/file.php

@@ -249,7 +249,7 @@ if (!$attachment)
 	trigger_error('ERROR_NO_ATTACHMENT');
 }
 
-$attachment['physical_filename'] = basename($attachment['physical_filename']);
+$attachment['physical_filename'] = utf8_basename($attachment['physical_filename']);
 $display_cat = $extensions[$attachment['extension']]['display_cat'];
 
 if (($display_cat == ATTACHMENT_CATEGORY_IMAGE || $display_cat == ATTACHMENT_CATEGORY_THUMB) && !$user->optionget('viewimg'))

phpBB/includes/acp/acp_attachments.php

@@ -1027,8 +1027,8 @@ class acp_attachments
 					$template->assign_block_vars('orphan', array(
 						'FILESIZE'			=> get_formatted_filesize($row['filesize']),
 						'FILETIME'			=> $user->format_date($row['filetime']),
-						'REAL_FILENAME'		=> basename($row['real_filename']),
-						'PHYSICAL_FILENAME'	=> basename($row['physical_filename']),
+						'REAL_FILENAME'		=> utf8_basename($row['real_filename']),
+						'PHYSICAL_FILENAME'	=> utf8_basename($row['physical_filename']),
 						'ATTACH_ID'			=> $row['attach_id'],
 						'POST_IDS'			=> (!empty($post_ids[$row['attach_id']])) ? $post_ids[$row['attach_id']] : '',
 						'U_FILE'			=> append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'mode=view&id=' . $row['attach_id']))

phpBB/includes/functions_admin.php

@@ -1235,7 +1235,7 @@ function phpbb_unlink($filename, $mode = 'file', $entry_removed = false)
 	// Because of copying topics or modifications a physical filename could be assigned more than once. If so, do not remove the file itself.
 	$sql = 'SELECT COUNT(attach_id) AS num_entries
 		FROM ' . ATTACHMENTS_TABLE . "
-		WHERE physical_filename = '" . $db->sql_escape(basename($filename)) . "'";
+		WHERE physical_filename = '" . $db->sql_escape(utf8_basename($filename)) . "'";
 	$result = $db->sql_query($sql);
 	$num_entries = (int) $db->sql_fetchfield('num_entries');
 	$db->sql_freeresult($result);
@@ -1246,7 +1246,7 @@ function phpbb_unlink($filename, $mode = 'file', $entry_removed = false)
 		return false;
 	}
 
-	$filename = ($mode == 'thumbnail') ? 'thumb_' . basename($filename) : basename($filename);
+	$filename = ($mode == 'thumbnail') ? 'thumb_' . utf8_basename($filename) : utf8_basename($filename);
 	return @unlink($phpbb_root_path . $config['upload_path'] . '/' . $filename);
 }
 

phpBB/includes/functions_content.php

@@ -841,8 +841,8 @@ function parse_attachments($forum_id, &$message, &$attachments, &$update_count,
 
 		// Some basics...
 		$attachment['extension'] = strtolower(trim($attachment['extension']));
-		$filename = $phpbb_root_path . $config['upload_path'] . '/' . basename($attachment['physical_filename']);
-		$thumbnail_filename = $phpbb_root_path . $config['upload_path'] . '/thumb_' . basename($attachment['physical_filename']);
+		$filename = $phpbb_root_path . $config['upload_path'] . '/' . utf8_basename($attachment['physical_filename']);
+		$thumbnail_filename = $phpbb_root_path . $config['upload_path'] . '/thumb_' . utf8_basename($attachment['physical_filename']);
 
 		$upload_icon = '';
 
@@ -866,7 +866,7 @@ function parse_attachments($forum_id, &$message, &$attachments, &$update_count,
 			'UPLOAD_ICON'		=> $upload_icon,
 			'FILESIZE'			=> $filesize['value'],
 			'SIZE_LANG'			=> $filesize['unit'],
-			'DOWNLOAD_NAME'		=> basename($attachment['real_filename']),
+			'DOWNLOAD_NAME'		=> utf8_basename($attachment['real_filename']),
 			'COMMENT'			=> $comment,
 		);
 

phpBB/includes/functions_convert.php

@@ -551,7 +551,7 @@ function _import_check($config_var, $source, $use_target)
 	);
 
 	// copy file will prepend $phpBB_root_path
-	$target = $config[$config_var] . '/' . basename(($use_target === false) ? $source : $use_target);
+	$target = $config[$config_var] . '/' . utf8_basename(($use_target === false) ? $source : $use_target);
 
 	if (!empty($convert->convertor[$config_var]) && strpos($source, $convert->convertor[$config_var]) !== 0)
 	{
@@ -567,11 +567,11 @@ function _import_check($config_var, $source, $use_target)
 
 	if ($result['copied'])
 	{
-		$result['target'] = basename($target);
+		$result['target'] = utf8_basename($target);
 	}
 	else
 	{
-		$result['target'] = ($use_target !== false) ? $result['orig_source'] : basename($target);
+		$result['target'] = ($use_target !== false) ? $result['orig_source'] : utf8_basename($target);
 	}
 
 	return $result;
@@ -600,7 +600,7 @@ function import_attachment($source, $use_target = false)
 		{
 			$thumb_dir = $convert->convertor['thumbnails'][0];
 			$thumb_prefix = $convert->convertor['thumbnails'][1];
-			$thumb_source = $thumb_dir . $thumb_prefix . basename($result['source']);
+			$thumb_source = $thumb_dir . $thumb_prefix . utf8_basename($result['source']);
 
 			if (strpos($thumb_source, $convert->convertor['upload_path']) !== 0)
 			{
@@ -2257,7 +2257,7 @@ function copy_file($src, $trg, $overwrite = false, $die_on_failure = true, $sour
 
 	if (substr($trg, -1) == '/')
 	{
-		$trg .= basename($src);
+		$trg .= utf8_basename($src);
 	}
 	$src_path = relative_base($src, $source_relative_path, __LINE__, __FILE__);
 	$trg_path = $trg;

phpBB/includes/functions_posting.php

@@ -785,7 +785,7 @@ function posting_gen_inline_attachments(&$attachment_data)
 
 		foreach ($attachment_data as $i => $attachment)
 		{
-			$s_inline_attachment_options .= '<option value="' . $i . '">' . basename($attachment['real_filename']) . '</option>';
+			$s_inline_attachment_options .= '<option value="' . $i . '">' . utf8_basename($attachment['real_filename']) . '</option>';
 		}
 
 		$template->assign_var('S_INLINE_ATTACHMENT_OPTIONS', $s_inline_attachment_options);
@@ -819,7 +819,7 @@ function posting_gen_attachment_entry($attachment_data, &$filename_data, $show_a
 		foreach ($attachment_data as $count => $attach_row)
 		{
 			$hidden = '';
-			$attach_row['real_filename'] = basename($attach_row['real_filename']);
+			$attach_row['real_filename'] = utf8_basename($attach_row['real_filename']);
 
 			foreach ($attach_row as $key => $value)
 			{
@@ -829,8 +829,8 @@ function posting_gen_attachment_entry($attachment_data, &$filename_data, $show_a
 			$download_link = append_sid("{$phpbb_root_path}download/file.$phpEx", 'mode=view&amp;id=' . (int) $attach_row['attach_id'], true, ($attach_row['is_orphan']) ? $user->session_id : false);
 
 			$template->assign_block_vars('attach_row', array(
-				'FILENAME'			=> basename($attach_row['real_filename']),
-				'A_FILENAME'		=> addslashes(basename($attach_row['real_filename'])),
+				'FILENAME'			=> utf8_basename($attach_row['real_filename']),
+				'A_FILENAME'		=> addslashes(utf8_basename($attach_row['real_filename'])),
 				'FILE_COMMENT'		=> $attach_row['attach_comment'],
 				'ATTACH_ID'			=> $attach_row['attach_id'],
 				'S_IS_ORPHAN'		=> $attach_row['is_orphan'],
@@ -2175,7 +2175,7 @@ function submit_post($mode, $subject, $username, $topic_type, &$poll, &$data, $u
 			else
 			{
 				// insert attachment into db
-				if (!@file_exists($phpbb_root_path . $config['upload_path'] . '/' . basename($orphan_rows[$attach_row['attach_id']]['physical_filename'])))
+				if (!@file_exists($phpbb_root_path . $config['upload_path'] . '/' . utf8_basename($orphan_rows[$attach_row['attach_id']]['physical_filename'])))
 				{
 					continue;
 				}

phpBB/includes/functions_privmsgs.php

@@ -1552,7 +1552,7 @@ function submit_pm($mode, $subject, &$data, $put_in_outbox = true)
 			else
 			{
 				// insert attachment into db
-				if (!@file_exists($phpbb_root_path . $config['upload_path'] . '/' . basename($orphan_rows[$attach_row['attach_id']]['physical_filename'])))
+				if (!@file_exists($phpbb_root_path . $config['upload_path'] . '/' . utf8_basename($orphan_rows[$attach_row['attach_id']]['physical_filename'])))
 				{
 					continue;
 				}

phpBB/includes/functions_upload.php

@@ -58,7 +58,7 @@ class filespec
 
 		$this->filename = $upload_ary['tmp_name'];
 		$this->filesize = $upload_ary['size'];
-		$name = trim(htmlspecialchars(basename($upload_ary['name'])));
+		$name = trim(utf8_htmlspecialchars(utf8_basename($upload_ary['name'])));
 		$this->realname = $this->uploadname = (STRIP) ? stripslashes($name) : $name;
 		$this->mimetype = $upload_ary['type'];
 
@@ -290,7 +290,7 @@ class filespec
 
 		$upload_mode = (@ini_get('open_basedir') || @ini_get('safe_mode') || strtolower(@ini_get('safe_mode')) == 'on') ? 'move' : 'copy';
 		$upload_mode = ($this->local) ? 'local' : $upload_mode;
-		$this->destination_file = $this->destination_path . '/' . basename($this->realname);
+		$this->destination_file = $this->destination_path . '/' . utf8_basename($this->realname);
 
 		// Check if the file already exist, else there is something wrong...
 		if (file_exists($this->destination_file) && !$overwrite)
@@ -634,7 +634,7 @@ class fileupload
 
 		if ($filedata === false)
 		{
-			$_FILES[$form_name]['name'] = basename($source_file);
+			$_FILES[$form_name]['name'] = utf8_basename($source_file);
 			$_FILES[$form_name]['size'] = 0;
 			$mimetype = '';
 
@@ -746,7 +746,7 @@ class fileupload
 		$ext = array_pop($url['path']);
 
 		$url['path'] = implode('', $url['path']);
-		$upload_ary['name'] = basename($url['path']) . (($ext) ? '.' . $ext : '');
+		$upload_ary['name'] = utf8_basename($url['path']) . (($ext) ? '.' . $ext : '');
 		$filename = $url['path'];
 		$filesize = 0;
 

phpBB/includes/mcp/mcp_main.php

@@ -1168,8 +1168,8 @@ function mcp_fork_topic($topic_ids)
 							'in_message'		=> 0,
 							'is_orphan'			=> (int) $attach_row['is_orphan'],
 							'poster_id'			=> (int) $attach_row['poster_id'],
-							'physical_filename'	=> (string) basename($attach_row['physical_filename']),
-							'real_filename'		=> (string) basename($attach_row['real_filename']),
+							'physical_filename'	=> (string) utf8_basename($attach_row['physical_filename']),
+							'real_filename'		=> (string) utf8_basename($attach_row['real_filename']),
 							'download_count'	=> (int) $attach_row['download_count'],
 							'attach_comment'	=> (string) $attach_row['attach_comment'],
 							'extension'			=> (string) $attach_row['extension'],

phpBB/includes/utf/utf_tools.php

@@ -70,7 +70,7 @@ if (!extension_loaded('xml'))
 		$pos = 0;
 		$len = strlen($str);
 		$ret = '';
-	
+
 		while ($pos < $len)
 		{
 			$ord = ord($str[$pos]) & 0xF0;
@@ -252,7 +252,7 @@ else
 		if (is_null($offset))
 		{
 			$ar	= explode($needle, $str);
-			
+
 			if (sizeof($ar) > 1)
 			{
 				// Pop off the end of the string where the last	match was made
@@ -527,7 +527,7 @@ else
 			$op = '^(?:' . $op . '.{' . $oy . '})';
 		}
 		else
-		{	
+		{
 			// offset == 0; just anchor the pattern
 			$op = '^';
 		}
@@ -560,7 +560,7 @@ else
 
 				$lx = (int) ($length / 65535);
 				$ly = $length % 65535;
-				
+
 				// negative length requires a captured group
 				// of length characters
 				if ($lx)
@@ -632,7 +632,7 @@ function utf8_str_split($str, $split_len = 1)
 	{
 		return array($str);
 	}
-	
+
 	preg_match_all('/.{' . $split_len . '}|[^\x00]{1,' . $split_len . '}$/us', $str, $ar);
 	return $ar[0];
 }
@@ -1917,4 +1917,32 @@ function utf8_wordwrap($string, $width = 75, $break = "\n", $cut = false)
 	return implode($break, $new_lines);
 }
 
+/**
+* UTF8-safe basename() function
+*
+* basename() has some limitations and is dependent on the locale setting
+* according to the PHP manual. Therefore we provide our own locale independant
+* basename function.
+*
+* @param string $filename The filename basename() should be applied to
+* @return string The basenamed filename
+*/
+function utf8_basename($filename)
+{
+	// We always check for forward slash AND backward slash
+	// because they could be mixed or "sneaked" in. ;)
+	// You know, never trust user input...
+	if (strpos($filename, '/') !== false)
+	{
+		$filename = utf8_substr($filename, utf8_strrpos($filename, '/') + 1);
+	}
+
+	if (strpos($filename, '\\') !== false)
+	{
+		$filename = utf8_substr($filename, utf8_strrpos($filename, '\\') + 1);
+	}
+
+	return $filename;
+}
+
 ?>

phpBB/viewtopic.php

@@ -1613,7 +1613,6 @@ else if (!$all_marked_read)
 }
 
 // let's set up quick_reply
-// TODO: introduce a per-forum and a per-user setting
 $s_quick_reply = $user->data['is_registered'] && $config['allow_quick_reply'] && ($topic_data['forum_flags'] & FORUM_FLAG_QUICK_REPLY) && $auth->acl_get('f_reply', $forum_id);
 
 if ($s_can_vote || $s_quick_reply)