Skip to content
Snippets Groups Projects
Commit ec9f5e57 authored by Greeshma's avatar Greeshma
Browse files

reverting changes

parent 2e327879
No related branches found
No related tags found
1 merge request!413Sqlinjections
Hide whitespace changes
Inline Side-by-side
modules/Vtiger/helpers/ShowFile.php
+ 30
30
View file @ ec9f5e57
<?php
/* +***********************************************************************************
/*+***********************************************************************************
* The contents of this file are subject to the vtiger CRM Public License Version 1.0
* ("License"); You may not use this file except in compliance with the License
* The Original Code is: vtiger CRM Open Source
* The Initial Developer of the Original Code is vtiger.
* Portions created by vtiger are Copyright (C) vtiger.
* All Rights Reserved.
* *********************************************************************************** */
*************************************************************************************/
class Vtiger_ShowFile_Helper {
......@@ -16,20 +16,20 @@ class Vtiger_ShowFile_Helper {
* @param type $encFileName - md5(filename)
*/
static function handle($fid, $encFileName) {
global $upload_badext;
global $upload_badext;
$db = PearDatabase::getInstance();
$query = "SELECT vtiger_attachments.* FROM vtiger_attachments
INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_attachments.attachmentsid
WHERE vtiger_attachments.attachmentsid=? AND vtiger_attachments.name=? LIMIT 1";
INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_attachments.attachmentsid
WHERE vtiger_attachments.attachmentsid=? AND vtiger_attachments.name=? LIMIT 1";
$result = $db->pquery($query, array($fid, $encFileName));
if ($result && $db->num_rows($result)) {
$resultData = $db->fetch_array($result);
$fileId = $resultData['attachmentsid'];
$filePath = $resultData['path'];
$fileName = $resultData['name'];
$storedFileName = $resultData['storedname'];
$fileType = $resultData['type'];
$resultData = $db->fetch_array($result);
$fileId = $resultData['attachmentsid'];
$filePath = $resultData['path'];
$fileName = $resultData['name'];
$storedFileName = $resultData['storedname'];
$fileType = $resultData['type'];
$sanitizedFileName = sanitizeUploadFileName($fileName, $upload_badext);
/**
......@@ -37,24 +37,24 @@ WHERE vtiger_attachments.attachmentsid=? AND vtiger_attachments.name=? LIMIT 1";
* This save happens from mailroom, inbox, record save, document save etc..
*/
if (!empty($encFileName)) {
if (!empty($storedFileName)) {
$finalFilePath = $filePath . $fileId . '_' . $storedFileName;
} else if (is_null($storedFileName)) {
$finalFilePath = $filePath . $fileId . '_' . $encFileName;
}
$isFileExist = false;
if (file_exists($finalFilePath)) {
$isFileExist = true;
} else {
$finalFilePath = $filePath . $fileId . '_' . $sanitizedFileName;
if (file_exists($finalFilePath)) {
$isFileExist = true;
}
}
if ($isFileExist) {
Vtiger_ShowFile_Helper::show($finalFilePath, $fileType);
}
}
if(!empty($storedFileName)){
$finalFilePath = $filePath.$fileId.'_'.$storedFileName;
}else if(is_null($storedFileName)){
$finalFilePath = $filePath.$fileId.'_'.$encFileName;
}
$isFileExist = false;
if (file_exists($finalFilePath)) {
$isFileExist = true;
} else {
$finalFilePath = $filePath.$fileId.'_'.$sanitizedFileName;
if (file_exists($finalFilePath)) {
$isFileExist = true;
}
}
if ($isFileExist) {
Vtiger_ShowFile_Helper::show($finalFilePath,$fileType);
}
}
}
}
......@@ -71,4 +71,4 @@ WHERE vtiger_attachments.attachmentsid=? AND vtiger_attachments.name=? LIMIT 1";
header("Content-Type: $fileType;charset=UTF-8");
echo $contents;
}
}
}
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Copyright 2023 Vtiger. All rights reserved.