/** * Sanitizes the file name. * * @param string $file_name file name * @param string $ext extension of the file * * @return string the sanitized file name * @access private */ private function _sanitizeName($file_name, $ext) { $file_name = PMA_sanitizeFilename($file_name); // Check if the user already added extension; // get the substring where the extension would be if it was included $extension_start_pos = strlen($file_name) - strlen($ext) - 1; $user_extension = substr($file_name, $extension_start_pos, strlen($file_name)); $required_extension = "." . $ext; if (strtolower($user_extension) != $required_extension) { $file_name .= $required_extension; } return $file_name; }
/** * Return the filename and MIME type for export file * * @param string $export_type type of export * @param string $remember_template whether to remember template * @param ExportPlugin $export_plugin the export plugin * @param string $compression compression asked * @param string $filename_template the filename template * * @return array the filename template and mime type */ function PMA_getExportFilenameAndMimetype($export_type, $remember_template, $export_plugin, $compression, $filename_template) { if ($export_type == 'server') { if (!empty($remember_template)) { $GLOBALS['PMA_Config']->setUserValue('pma_server_filename_template', 'Export/file_template_server', $filename_template); } } elseif ($export_type == 'database') { if (!empty($remember_template)) { $GLOBALS['PMA_Config']->setUserValue('pma_db_filename_template', 'Export/file_template_database', $filename_template); } } else { if (!empty($remember_template)) { $GLOBALS['PMA_Config']->setUserValue('pma_table_filename_template', 'Export/file_template_table', $filename_template); } } $filename = PMA_Util::expandUserString($filename_template); // remove dots in filename (coming from either the template or already // part of the filename) to avoid a remote code execution vulnerability $filename = PMA_sanitizeFilename($filename, $replaceDots = true); // Grab basic dump extension and mime type // Check if the user already added extension; // get the substring where the extension would be if it was included $extension_start_pos = mb_strlen($filename) - mb_strlen($export_plugin->getProperties()->getExtension()) - 1; $user_extension = mb_substr($filename, $extension_start_pos, mb_strlen($filename)); $required_extension = "." . $export_plugin->getProperties()->getExtension(); if (mb_strtolower($user_extension) != $required_extension) { $filename .= $required_extension; } $mime_type = $export_plugin->getProperties()->getMimeType(); // If dump is going to be compressed, set correct mime_type and add // compression to extension if ($compression == 'gzip') { $filename .= '.gz'; $mime_type = 'application/x-gzip'; } elseif ($compression == 'zip') { $filename .= '.zip'; $mime_type = 'application/zip'; } return array($filename, $mime_type); }
include 'tbl_export.php'; } exit; } } /** * Send headers depending on whether the user chose to download a dump file * or not */ if (!$save_on_server) { if ($asfile) { // Download // (avoid rewriting data containing HTML with anchors and forms; // this was reported to happen under Plesk) @ini_set('url_rewriter.tags', ''); $filename = PMA_sanitizeFilename($filename); PMA_downloadHeader($filename, $mime_type); } else { // HTML if ($export_type == 'database') { $num_tables = count($tables); if ($num_tables == 0) { $message = PMA_Message::error(__('No tables found in database.')); $active_page = 'db_export.php'; include 'db_export.php'; exit; } } list($html, $back_button) = PMA_getHtmlForDisplayedExportHeader($export_type, $db, $table); echo $html; unset($html);
/** * Handles the whole import logic * * @param array &$sql_data 2-element array with sql data * * @return void */ public function doImport(&$sql_data = array()) { global $db, $error, $finished, $compression, $import_file, $local_import_file, $message; $GLOBALS['finished'] = false; $shp = new ShapeFile(1); // If the zip archive has more than one file, // get the correct content to the buffer from .shp file. if ($compression == 'application/zip' && PMA_getNoOfFilesInZip($import_file) > 1) { $zip_content = PMA_getZipContents($import_file, '/^.*\\.shp$/i'); $GLOBALS['import_text'] = $zip_content['data']; } $temp_dbf_file = false; // We need dbase extension to handle .dbf file if (extension_loaded('dbase')) { // If we can extract the zip archive to 'TempDir' // and use the files in it for import if ($compression == 'application/zip' && !empty($GLOBALS['cfg']['TempDir']) && @is_writable($GLOBALS['cfg']['TempDir'])) { $dbf_file_name = PMA_findFileFromZipArchive('/^.*\\.dbf$/i', $import_file); // If the corresponding .dbf file is in the zip archive if ($dbf_file_name) { // Extract the .dbf file and point to it. $extracted = PMA_zipExtract($import_file, $dbf_file_name); if ($extracted !== false) { $dbf_file_path = realpath($GLOBALS['cfg']['TempDir']) . (PMA_IS_WINDOWS ? '\\' : '/') . PMA_sanitizeFilename($dbf_file_name, true); $handle = fopen($dbf_file_path, 'wb'); if ($handle !== false) { fwrite($handle, $extracted); fclose($handle); $temp_dbf_file = true; // Replace the .dbf with .*, as required // by the bsShapeFiles library. $file_name = substr($dbf_file_path, 0, strlen($dbf_file_path) - 4) . '.*'; $shp->FileName = $file_name; } } } } elseif (!empty($local_import_file) && !empty($GLOBALS['cfg']['UploadDir']) && $compression == 'none') { // If file is in UploadDir, use .dbf file in the same UploadDir // to load extra data. // Replace the .shp with .*, // so the bsShapeFiles library correctly locates .dbf file. $file_name = mb_substr($import_file, 0, mb_strlen($import_file) - 4) . '.*'; $shp->FileName = $file_name; } } // Delete the .dbf file extracted to 'TempDir' if ($temp_dbf_file && isset($dbf_file_path) && file_exists($dbf_file_path)) { unlink($dbf_file_path); } // Load data $shp->loadFromFile(''); if ($shp->lastError != "") { $error = true; $message = PMA\libraries\Message::error(__('There was an error importing the ESRI shape file: "%s".')); $message->addParam($shp->lastError); return; } $esri_types = array(0 => 'Null Shape', 1 => 'Point', 3 => 'PolyLine', 5 => 'Polygon', 8 => 'MultiPoint', 11 => 'PointZ', 13 => 'PolyLineZ', 15 => 'PolygonZ', 18 => 'MultiPointZ', 21 => 'PointM', 23 => 'PolyLineM', 25 => 'PolygonM', 28 => 'MultiPointM', 31 => 'MultiPatch'); switch ($shp->shapeType) { // ESRI Null Shape case 0: break; // ESRI Point // ESRI Point case 1: $gis_type = 'point'; break; // ESRI PolyLine // ESRI PolyLine case 3: $gis_type = 'multilinestring'; break; // ESRI Polygon // ESRI Polygon case 5: $gis_type = 'multipolygon'; break; // ESRI MultiPoint // ESRI MultiPoint case 8: $gis_type = 'multipoint'; break; default: $error = true; if (!isset($esri_types[$shp->shapeType])) { $message = PMA\libraries\Message::error(__('You tried to import an invalid file or the imported file' . ' contains invalid data!')); } else { $message = PMA\libraries\Message::error(__('MySQL Spatial Extension does not support ESRI type "%s".')); $message->addParam($esri_types[$shp->shapeType]); } return; } if (isset($gis_type)) { /** @var GISMultilinestring|\PMA\libraries\gis\GISMultipoint|\PMA\libraries\gis\GISPoint|GISPolygon $gis_obj */ $gis_obj = GISFactory::factory($gis_type); } else { $gis_obj = null; } $num_rows = count($shp->records); // If .dbf file is loaded, the number of extra data columns $num_data_cols = isset($shp->DBFHeader) ? count($shp->DBFHeader) : 0; $rows = array(); $col_names = array(); if ($num_rows != 0) { foreach ($shp->records as $record) { $tempRow = array(); if ($gis_obj == null) { $tempRow[] = null; } else { $tempRow[] = "GeomFromText('" . $gis_obj->getShape($record->SHPData) . "')"; } if (isset($shp->DBFHeader)) { foreach ($shp->DBFHeader as $c) { $cell = trim($record->DBFData[$c[0]]); if (!strcmp($cell, '')) { $cell = 'NULL'; } $tempRow[] = $cell; } } $rows[] = $tempRow; } } if (count($rows) == 0) { $error = true; $message = PMA\libraries\Message::error(__('The imported file does not contain any data!')); return; } // Column names for spatial column and the rest of the columns, // if they are available $col_names[] = 'SPATIAL'; for ($n = 0; $n < $num_data_cols; $n++) { $col_names[] = $shp->DBFHeader[$n][0]; } // Set table name based on the number of tables if (mb_strlen($db)) { $result = $GLOBALS['dbi']->fetchResult('SHOW TABLES'); $table_name = 'TABLE ' . (count($result) + 1); } else { $table_name = 'TBL_NAME'; } $tables = array(array($table_name, $col_names, $rows)); // Use data from shape file to chose best-fit MySQL types for each column $analyses = array(); $analyses[] = PMA_analyzeTable($tables[0]); $table_no = 0; $spatial_col = 0; $analyses[$table_no][TYPES][$spatial_col] = GEOMETRY; $analyses[$table_no][FORMATTEDSQL][$spatial_col] = true; // Set database name to the currently selected one, if applicable if (mb_strlen($db)) { $db_name = $db; $options = array('create_db' => false); } else { $db_name = 'SHP_DB'; $options = null; } // Created and execute necessary SQL statements from data $null_param = null; PMA_buildSQL($db_name, $tables, $analyses, $null_param, $options, $sql_data); unset($tables); unset($analyses); $finished = true; $error = false; // Commit any possible data in buffers PMA_importRunQuery('', '', $sql_data); }
/** * Test for PMA_sanitizeFilename */ public function testSanitizeFilename() { $this->assertEquals('File_name_123', PMA_sanitizeFilename('File_name 123')); }
/** * Sanitizes the file name. * * @param string $file_name file name * @param string $ext extension of the file * * @return string the sanitized file name * @access private */ private function _sanitizeName($file_name, $ext) { $file_name = PMA_sanitizeFilename($file_name); /** @var PMA_String $pmaString */ $pmaString = $GLOBALS['PMA_String']; // Check if the user already added extension; // get the substring where the extension would be if it was included $extension_start_pos = $pmaString->strlen($file_name) - $pmaString->strlen($ext) - 1; $user_extension = $pmaString->substr($file_name, $extension_start_pos, $pmaString->strlen($file_name)); $required_extension = "." . $ext; if ($pmaString->strtolower($user_extension) != $required_extension) { $file_name .= $required_extension; } return $file_name; }