Now that we know the above was a bug, I would suggest to apply the same fixes to the following files for OC v2.2.0.0 release:
- admin/controller/catalog/download.php file
- admin/controller/feed/google_base.php file
This should definitely rectify the issue.
As for the rest of the upload files that wasn't covered in the topic, here are the following fixes as well.
In admin/controller/extension/installer.php file,
find:
Code: Select all
if (strrchr($this->request->files['file']['name'], '.') == '.xml') {
replace with:
Code: Select all
if (is_uploaded_file($this->request->files['file']['name']) && strrchr($this->request->files['file']['name'], '.') == '.xml') {
In admin/controller/tool/upload.php file,
find:
Code: Select all
if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name'])) {
replace with:
Code: Select all
if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name']) && is_uploaded_file($this->request->files['file']['tmp_name'])) {
In your catalog/controller/tool/upload.php file,
find:
Code: Select all
if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name'])) {
replace with:
Code: Select all
if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name']) && is_uploaded_file($this->request->files['file']['tmp_name'])) {
Then, find:
Code: Select all
$filename = basename(html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8'));
replace with:
Code: Select all
$filename = html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8');
As for this line, I have no idea why it would be the
only line matching for REGEXP compared to the rest of the other uploads in the platform:
Code: Select all
$filename = basename(preg_replace('/[^a-zA-Z0-9\.\-\s+]/', '', html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8')));
replace with:
Code: Select all
$filename = html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8');
If there is really something special about that line and should be the only line to where special chars should be considered throughout the rest of the
same process of Opencart, at least - if there's one thing useful about GitHub would be to document the difference on that upload !