EuskadiTech/Axia4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix HTTP 500 in comedor and proyectos: remove duplicate safe_filename declarations and fix api/comedor.php require paths

Browse Source 
Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-03-07 21:06:54 +00:00
parent 7e7818f002
commit 704acf4cc3
4 changed files with 55 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
public_html/_incl/tools.security.php
View File

@@ -140,9 +140,62 @@ function safe_aulario_id($value)
function safe_filename($name) function safe_filename($name)
{ {
// Normalize to base name to avoid directory traversal
$name = basename((string)$name); $name = basename((string)$name);
// Best-effort normalize encoding to avoid odd Unicode tricks
if (function_exists('mb_convert_encoding')) {
$name = mb_convert_encoding($name, 'UTF-8', 'UTF-8');
}
// Replace disallowed characters with underscore
$name = preg_replace('/[^A-Za-z0-9._-]/', '_', $name); $name = preg_replace('/[^A-Za-z0-9._-]/', '_', $name);
// Collapse multiple underscores introduced by replacement
$name = preg_replace('/_+/', '_', $name);
// Remove leading dots to avoid hidden/special files like ".htaccess"
$name = ltrim($name, '.'); $name = ltrim($name, '.');
// Ensure there is at most one dot in the filename to prevent extension confusion
if (substr_count($name, '.') > 1) {
$parts = explode('.', $name);
$ext = array_pop($parts);
$base = implode('_', $parts);
// Ensure extension is not empty
if ($ext === '') {
$name = $base === '' ? 'file' : $base;
} else {
$name = ($base === '' ? 'file' : $base) . '.' . $ext;
}
}
// Trim stray dots/underscores from the start and end
$name = trim($name, "._");
// Enforce a maximum length (common filesystem limit is 255 bytes)
$maxLen = 255;
if (strlen($name) > $maxLen) {
$dotPos = strrpos($name, '.');
if ($dotPos !== false) {
$ext = substr($name, $dotPos);
$base = substr($name, 0, $dotPos);
$baseMaxLen = $maxLen - strlen($ext);
if ($baseMaxLen < 1) {
// Fallback if extension is unusually long
$name = substr($name, 0, $maxLen);
} else {
$name = substr($base, 0, $baseMaxLen) . $ext;
}
} else {
$name = substr($name, 0, $maxLen);
}
}
// Ensure we never return an empty or invalid filename
if ($name === '' || $name === '.' || $name === '..') {
$name = 'file';
}
return $name; return $name;
} }
function safe_id_segment($value) function safe_id_segment($value)

9
public_html/aulatek/api/comedor.php
View File

@@ -1,7 +1,7 @@
<?php <?php
header("Content-Type: application/json; charset=utf-8"); header("Content-Type: application/json; charset=utf-8");
require_once "_incl/auth_redir.php"; require_once "../_incl/auth_redir.php";
require_once "../_incl/tools.security.php"; require_once "../../_incl/tools.security.php";
require_once "../../_incl/db.php"; require_once "../../_incl/db.php";
// Check permissions // Check permissions
@@ -72,11 +72,6 @@ function blank_menu() {
]; ];
} }
function safe_filename($name) {
$name = basename($name);
return preg_replace("/[^a-zA-Z0-9._-]/", "_", $name);
}
// Routes // Routes
switch ($action) { switch ($action) {
case "get_menu_types": case "get_menu_types":

61
public_html/aulatek/comedor.php
View File

@@ -98,67 +98,6 @@ $canEdit = in_array("sysadmin:access", $_SESSION["auth_data"]["permissions"] ??
$saveNotice = ""; $saveNotice = "";
$uploadErrors = []; $uploadErrors = [];
function safe_filename($name)
{
// Normalize to base name to avoid directory traversal
$name = basename($name);
// Best-effort normalize encoding to avoid odd Unicode tricks
if (function_exists('mb_convert_encoding')) {
$name = mb_convert_encoding($name, 'UTF-8', 'UTF-8');
}
// Replace disallowed characters with underscore
$name = preg_replace("/[^a-zA-Z0-9._-]/", "_", $name);
// Collapse multiple underscores introduced by replacement
$name = preg_replace('/_+/', '_', $name);
// Remove leading dots to avoid hidden/special files like ".htaccess"
$name = ltrim($name, '.');
// Ensure there is at most one dot in the filename to prevent extension confusion
if (substr_count($name, '.') > 1) {
$parts = explode('.', $name);
$ext = array_pop($parts);
$base = implode('_', $parts);
// Ensure extension is not empty
if ($ext === '') {
$name = $base === '' ? 'file' : $base;
} else {
$name = ($base === '' ? 'file' : $base) . '.' . $ext;
}
}
// Trim stray dots/underscores from the start and end
$name = trim($name, "._");
// Enforce a maximum length (common filesystem limit is 255 bytes)
$maxLen = 255;
if (strlen($name) > $maxLen) {
$dotPos = strrpos($name, '.');
if ($dotPos !== false) {
$ext = substr($name, $dotPos);
$base = substr($name, 0, $dotPos);
$baseMaxLen = $maxLen - strlen($ext);
if ($baseMaxLen < 1) {
// Fallback if extension is unusually long
$name = substr($name, 0, $maxLen);
} else {
$name = substr($base, 0, $baseMaxLen) . $ext;
}
} else {
$name = substr($name, 0, $maxLen);
}
}
// Ensure we never return an empty or invalid filename
if ($name === '' || $name === '.' || $name === '..') {
$name = 'file';
}
return $name;
}
function handle_image_upload($fieldName, $targetBaseName, $baseDir, &$uploadErrors) function handle_image_upload($fieldName, $targetBaseName, $baseDir, &$uploadErrors)
{ {
if (!isset($_FILES[$fieldName]) || $_FILES[$fieldName]["error"] !== UPLOAD_ERR_OK) { if (!isset($_FILES[$fieldName]) || $_FILES[$fieldName]["error"] !== UPLOAD_ERR_OK) {

23
public_html/aulatek/proyectos.php
View File

@@ -34,29 +34,6 @@ if (!is_dir($proyectos_dir)) {
} }
// Helper functions // Helper functions
function safe_filename($name)
{
// Normalize to base name to avoid directory traversal
$name = basename($name);
// Replace disallowed characters with underscore
$name = preg_replace("/[^a-zA-Z0-9._-]/", "_", $name);
// Remove leading dots to avoid hidden/special files like ".htaccess"
$name = ltrim($name, '.');
// Ensure there is at most one dot in the filename to prevent extension confusion
if (substr_count($name, '.') > 1) {
$parts = explode('.', $name);
$ext = array_pop($parts);
$base = implode('_', $parts);
// Ensure extension is not empty
if ($ext === '') {
$name = $base === '' ? 'file' : $base;
} else {
$name = ($base === '' ? 'file' : $base) . '.' . $ext;
}
}
return $name;
}
function safe_path_segment($value) function safe_path_segment($value)
{ {
$value = basename((string)$value); $value = basename((string)$value);