Ticket #1906 (closed Bug: fixed)

Opened 3 months ago

Last modified 3 months ago

PHP connector in filemanager should have better error checking

Reported by: Kyle Assigned to: wwalc
Priority: Normal Milestone: FCKeditor 2.6
Component: Server : PHP Version: FCKeditor 2.5
Keywords: Confirmed Review+ Cc:

Description (Last modified by w.olchawa)

The PHP connector DetectHTML function does no error checking to make sure that the file was opened or read correctly. This causes a cascade of errors on systems with the PHP open_basedir set to disallow opening of files in the temporary file-upload directory. See the forums post http://www.fckeditor.net/forums/viewtopic.php?f=6&t=8619.

In the file 'editor/filemanager/connectors/php/util.php' starting on line 87 is the DetectHTML function.

Original: 

function DetectHtml( $filePath )
{
	$fp = fopen( $filePath, 'rb' ) ;
	$chunk = fread( $fp, 1024 ) ;
	fclose( $fp ) ;

With improved error checking, it should be something like this... 

function DetectHtml( $filePath )
{
	$fp = fopen( $filePath, 'rb' ) ;
        if ( $fp !== false )
        {
         	$chunk = fread( $fp, 1024 ) ;
             if ( $chunk === false )
             {
                     $chunk = '';
             }
	       fclose( $fp ) ;
        }
        else
        {
             $chunk = '';
        }

I'm not sure whether it would be better to return TRUE or FALSE in the case of being unable to open and/or read the file. I leave it to the security experts to debate that.

Attachments

1906.patch (2.3 kB) - added by wwalc on 02/22/08 13:42:01.

Change History

02/22/08 10:26:23 changed by w.olchawa

  • keywords set to HasPatch.
  • version set to SVN.
  • description changed.

02/22/08 10:44:46 changed by wwalc

  • owner set to wwalc.
  • status changed from new to assigned.
  • version changed from SVN to FCKeditor 2.5.
  • milestone set to FCKeditor 2.6.

Thanks Kyle for posting this here. I'm targeting it to 2.6 because it should be fixed as soon as possible.

If DetectHtml() fail to open the uploaded file, it will be checked once again after moving it to the final directory. If the file is invalid, FCKeditor will make an attempt do delete it.

02/22/08 13:42:01 changed by wwalc

  • attachment 1906.patch added.

02/22/08 13:46:00 changed by wwalc

  • keywords changed from HasPatch to Confirmed Review?.

02/24/08 17:05:22 changed by fredck

  • keywords changed from Confirmed Review? to Confirmed Review+.

I haven't tested it throughly, but the implementation seems ok.

I would just change line 240: "if" => "else if".

Then, if you have tested it well Wiktor, go ahead committing it. Please include a changelog entry for it.

02/25/08 11:20:46 changed by wwalc

Fixed with [1615].

02/25/08 11:20:54 changed by wwalc

  • status changed from assigned to closed.
  • resolution set to fixed.