Index: openacs-4/packages/file-storage/file-storage.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/file-storage/file-storage.info,v
diff -u -r1.60.2.21 -r1.60.2.22
--- openacs-4/packages/file-storage/file-storage.info 3 Oct 2021 18:20:38 -0000 1.60.2.21
+++ openacs-4/packages/file-storage/file-storage.info 18 Feb 2022 12:56:48 -0000 1.60.2.22
@@ -7,7 +7,7 @@
f
f
-
+
OpenACS
Collaborative document storage
2021-09-15
@@ -17,9 +17,9 @@
2
#file-storage.file-storage#
-
+
-
+
Index: openacs-4/packages/file-storage/www/file-add.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/file-storage/www/file-add.tcl,v
diff -u -r1.28.2.4 -r1.28.2.5
--- openacs-4/packages/file-storage/www/file-add.tcl 29 Dec 2021 17:38:20 -0000 1.28.2.4
+++ openacs-4/packages/file-storage/www/file-add.tcl 18 Feb 2022 12:56:48 -0000 1.28.2.5
@@ -173,15 +173,29 @@
ad_form -extend -form {} -select_query_name get_file -new_data {
if { [string is true -strict $unpack_p]
+ && $unpack_binary ne ""
&& [file extension [template::util::file::get_property filename $upload_file]] eq ".zip"
} {
+ set ok [util::file_content_check -type zip -file ${upload_file.tmpfile}]
+ if {!$ok} {
+ ad_complain "The uploaded file does not look like a zip file."
+ ad_script_abort
+ }
+
set path [ad_tmpnam]
file mkdir $path
+ if {[catch { exec $unpack_binary -jd $path ${upload_file.tmpfile} } errMsg]} {
+ #
+ # Completely silently catching unzip errors (like it was
+ # before Feb 18, 2022) is NOT a good idea. Maybe, some zip
+ # variants produce output on stderr, so we have to check,
+ # before we are considering to abort here.
+ #
+ ns_log warning "unpacking the uploaded zip file lead to error: $errorMsg"
+ }
- catch { exec $unpack_binary -jd $path ${upload_file.tmpfile} } errmsg
-
# More flexible parameter design could be:
# zip {unzip -jd {out_path} {in_file}} tar {tar xf {in_file} {out_path}} tgz {tar xzf {in_file} {out_path}}
Index: openacs-4/packages/file-storage/www/folder-zip-add.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/file-storage/www/folder-zip-add.tcl,v
diff -u -r1.11.2.9 -r1.11.2.10
--- openacs-4/packages/file-storage/www/folder-zip-add.tcl 17 Feb 2022 20:19:53 -0000 1.11.2.9
+++ openacs-4/packages/file-storage/www/folder-zip-add.tcl 18 Feb 2022 12:56:48 -0000 1.11.2.10
@@ -52,11 +52,9 @@
set ok 0
} else {
#
- # Check the signature of the zip file, which is more
- # portable and robust than using external programs.
+ # Check the signature of the zip file.
#
- set F [open ${upload_file.tmpfile} rb]; set signature [read $F 4]; close $F
- set ok [expr {[binary encode hex $signature] eq "504b0304"}]
+ set ok [util::file_content_check -type zip -file ${upload_file.tmpfile}]
}
if { !$ok} {
ad_complain "The uploaded file does not look like a zip file."