Sanitize out backslashes in upload filenames

[citadel.git] / citadel / file_ops.c

diff --git a/citadel/file_ops.c b/citadel/file_ops.c
index cc0e1afebf8c9271b94a99833edee49edc24a180..af4a872a1d5a43bbd840e0193a3c2d018f3f0f82 100644 (file)
--- a/citadel/file_ops.c
+++ b/citadel/file_ops.c
@@ -97,7 +97,7 @@ int network_talking_to(char *nodename, int operation) {
                        break;
        }
 
-       if (nttlist != NULL) lprintf(CTDL_DEBUG, "nttlist=<%s>\n", nttlist);
+       if (nttlist != NULL) CtdlLogPrintf(CTDL_DEBUG, "nttlist=<%s>\n", nttlist);
        end_critical_section(S_NTTLIST);
        return(retval);
 }
@@ -128,7 +128,7 @@ void cmd_delf(char *filename)
                return;
        }
        for (a = 0; !IsEmptyStr(&filename[a]); ++a) {
-               if (filename[a] == '/') {
+               if ( (filename[a] == '/') || (filename[a] == '\\') ) {
                        filename[a] = '_';
                }
        }
@@ -180,7 +180,7 @@ void cmd_movf(char *cmdbuf)
        }
 
        for (a = 0; !IsEmptyStr(&filename[a]); ++a) {
-               if (filename[a] == '/') {
+               if ( (filename[a] == '/') || (filename[a] == '\\') ) {
                        filename[a] = '_';
                }
        }
@@ -249,7 +249,7 @@ void cmd_netf(char *cmdbuf)
        }
 
        for (a = 0; !IsEmptyStr(&filename[a]); ++a) {
-               if (filename[a] == '/') {
+               if ( (filename[a] == '/') || (filename[a] == '\\') ) {
                        filename[a] = '_';
                }
        }
@@ -369,7 +369,7 @@ void cmd_open(char *cmdbuf)
        }
 
        for (a = 0; !IsEmptyStr(&filename[a]); ++a) {
-               if (filename[a] == '/') {
+               if ( (filename[a] == '/') || (filename[a] == '\\') ) {
                        filename[a] = '_';
                }
        }
@@ -437,7 +437,7 @@ void cmd_oimg(char *cmdbuf)
        } else {
                for (a = 0; !IsEmptyStr(&filename[a]); ++a) {
                        filename[a] = tolower(filename[a]);
-                       if (filename[a] == '/') {
+                       if ( (filename[a] == '/') || (filename[a] == '\\') ) {
                                filename[a] = '_';
                        }
                }
@@ -470,7 +470,8 @@ void cmd_uopn(char *cmdbuf)
        int a;
 
        extract_token(CC->upl_file, cmdbuf, 0, '|', sizeof CC->upl_file);
-       extract_token(CC->upl_comment, cmdbuf, 1, '|', sizeof CC->upl_comment);
+       extract_token(CC->upl_mimetype, cmdbuf, 1, '|', sizeof CC->upl_mimetype);
+       extract_token(CC->upl_comment, cmdbuf, 2, '|', sizeof CC->upl_comment);
 
        if (CtdlAccessCheck(ac_logged_in)) return;
 
@@ -493,7 +494,7 @@ void cmd_uopn(char *cmdbuf)
        }
 
        for (a = 0; !IsEmptyStr(&CC->upl_file[a]); ++a) {
-               if (CC->upl_file[a] == '/') {
+               if ( (CC->upl_file[a] == '/') || (CC->upl_file[a] == '\\') ) {
                        CC->upl_file[a] = '_';
                }
        }
@@ -542,7 +543,8 @@ void cmd_uimg(char *cmdbuf)
        }
 
        is_this_for_real = extract_int(cmdbuf, 0);
-       extract_token(basenm, cmdbuf, 1, '|', sizeof basenm);
+       extract_token(CC->upl_mimetype, cmdbuf, 1, '|', sizeof CC->upl_mimetype);
+       extract_token(basenm, cmdbuf, 2, '|', sizeof basenm);
        if (CC->upload_fp != NULL) {
                cprintf("%d You already have an upload file open.\n",
                        ERROR + RESOURCE_BUSY);
@@ -553,7 +555,7 @@ void cmd_uimg(char *cmdbuf)
 
        for (a = 0; !IsEmptyStr(&basenm[a]); ++a) {
                basenm[a] = tolower(basenm[a]);
-               if (basenm[a] == '/') {
+               if ( (basenm[a] == '/') || (basenm[a] == '\\') ) {
                        basenm[a] = '_';
                }
        }
@@ -682,15 +684,18 @@ void cmd_ucls(char *cmd)
                        fp = fopen(CC->upl_filedir, "w");
                }
                if (fp != NULL) {
-                       fprintf(fp, "%s %s\n", CC->upl_file,
+                       fprintf(fp, "%s %s %s\n", CC->upl_file,
+                               CC->upl_mimetype,
                                CC->upl_comment);
                        fclose(fp);
                }
 
                /* put together an upload notice */
                snprintf(upload_notice, sizeof upload_notice,
-                       "NEW UPLOAD: '%s'\n %s\n",
-                       CC->upl_file, CC->upl_comment);
+                       "NEW UPLOAD: '%s'\n %s\n%s\n",
+                        CC->upl_file, 
+                        CC->upl_comment, 
+                        CC->upl_mimetype);
                quickie_message(CC->curr_user, NULL, NULL, CC->room.QRname,
                                upload_notice, 0, NULL);
        } else {