#1906: PHP connector in filemanager should have better error checking
---------------------------+------------------------------------------------
Reporter: Kyle | Owner:
Type: Bug | Status: new
Priority: Normal | Milestone:
Component: Server : PHP | Version: SVN
Resolution: | Keywords: HasPatch
---------------------------+------------------------------------------------
Changes (by w.olchawa):
* keywords: => HasPatch
* version: => SVN
Old description:
> The PHP connector DetectHTML function does no error checking to make sure
> that the file was opened or read correctly. This causes a cascade of
> errors on systems with the PHP open_basedir set to disallow opening of
> files in the temporary file-upload directory. See the forums post
> [http://www.fckeditor.net/forums/viewtopic.php?f=6&t=8619].
>
> In the file 'editor/filemanager/connectors/php/util.php' starting on line
> 87 is the DetectHTML function.
>
> Original:
> {{{
> function DetectHtml( $filePath )
> {
> $fp = fopen( $filePath, 'rb' ) ;
> $chunk = fread( $fp, 1024 ) ;
> fclose( $fp ) ;
> }}}
>
> With improved error checking, it should be something like this...
> {{{
> function DetectHtml( $filePath )
> {
> $fp = fopen( $filePath, 'rb' ) ;
> if ( $fp !== false )
> {
> $chunk = fread( $fp, 1024 ) ;
> if ( $chunk === false )
> {
> $chunk = '';
> }
> fclose( $fp ) ;
> }
> else
> {
> $chunk = '';
> }
> }}}
>
> I'm not sure whether it would be better to return TRUE or FALSE in the
> case of being unable to open and/or read the file. I leave it to the
> security experts to debate that.
New description:
The PHP connector DetectHTML function does no error checking to make sure
that the file was opened or read correctly. This causes a cascade of
errors on systems with the PHP open_basedir set to disallow opening of
files in the temporary file-upload directory. See the forums post
[http://www.fckeditor.net/forums/viewtopic.php?f=6&t=8619].
In the file 'editor/filemanager/connectors/php/util.php' starting on line
87 is the DetectHTML function.
Original:
{{{
function DetectHtml( $filePath )
{
$fp = fopen( $filePath, 'rb' ) ;
$chunk = fread( $fp, 1024 ) ;
fclose( $fp ) ;
}}}
With improved error checking, it should be something like this...
{{{
function DetectHtml( $filePath )
{
$fp = fopen( $filePath, 'rb' ) ;
if ( $fp !== false )
{
$chunk = fread( $fp, 1024 ) ;
if ( $chunk === false )
{
$chunk = '';
}
fclose( $fp ) ;
}
else
{
$chunk = '';
}
}}}
I'm not sure whether it would be better to return TRUE or FALSE in the
case of being unable to open and/or read the file. I leave it to the
security experts to debate that.
== ==
--
Ticket URL: <http://dev.fckeditor.net/ticket/1906#comment:1>
FCKeditor <http://www.fckeditor.net>
The text editor for Internet
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
FCKeditor-Trac mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fckeditor-trac
