TPsoft.org/BugReport
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed sanitizeFilename for backend\API,

Browse Source 
added new API call attachmentDownload,
fixed attachment URL to call attachmentDownload,
refactoring Report.vue for <script setup>
This commit is contained in:
Igor Miňo
2025-10-16 01:40:44 +02:00
parent ed3d202488
commit 3e9056f4a6
4 changed files with 225 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
backend/composer.lock generated
View File

@ -8,11 +8,11 @@
"packages": [
{
"name": "tpsoft/apilite",
"version": "v1.0.2",
"version": "v1.0.3",
"source": {
"type": "git",
"url": "https://gitea.tpsoft.org/TPsoft.org/APIlite.git",
"reference": "2d3f8bfdd46d0d304bac44057ff8444bfb2a4a17"
"reference": "c0fd7b3fe5270ee44a84a92e9255ada2438812b7"
},
"require": {
"php": ">=8.2"
@ -49,15 +49,15 @@
"type": "other"
}
],
"time": "2025-06-12T05:54:37+00:00"
"time": "2025-10-13T21:36:34+00:00"
},
{
"name": "tpsoft/dbmodel",
"version": "v1.0.4",
"version": "v1.0.5",
"source": {
"type": "git",
"url": "https://gitea.tpsoft.org/TPsoft.org/DBmodel.git",
"reference": "ae59ffaa97094854bcd1d863c6648a5b4dada671"
"reference": "80e889946bc4e38e987f46a13f95ee177ea934dc"
},
"require": {
"ext-pdo": "*",
@ -85,7 +85,9 @@
"keywords": [
"db",
"model",
"pdo"
"mysql",
"pdo",
"sqlite"
],
"funding": [
{
@ -93,7 +95,7 @@
"type": "other"
}
],
"time": "2025-06-15T17:07:42+00:00"
"time": "2025-10-13T21:26:19+00:00"
}
],
"packages-dev": [],

48
backend/src/API.php
View File

@ -187,7 +187,7 @@ class API extends APIlite
if (!is_array($data)) return false;
$base64 = preg_replace('/^data:.*?;base64,/', '', $data['base64']);
$base64_data = base64_decode($base64);
$filename = 'report_' . $report_id . '_' . time() . '_' . sanitizeFilename($data['filename']);
$filename = 'report_' . $report_id . '_' . time() . '_' . $this->sanitizeFilename($data['filename']);
file_put_contents(UPLOAD_DIR_ATTACHMENTS . $filename, $base64_data);
$attachment_content = $filename;
}
@ -201,6 +201,26 @@ class API extends APIlite
return $suc !== false;
}
private function sanitizeFilename($filename, $allowedExtensions = [])
{
// Rozdelenie názvu a prípony
$pathInfo = pathinfo($filename);
$name = $pathInfo['filename'] ?? 'file';
$extension = strtolower($pathInfo['extension'] ?? '');
// Odstránenie nebezpečných znakov z názvu
$name = preg_replace('/[^a-zA-Z0-9_-]/', '_', $name);
$name = substr($name, 0, 100); // voliteľné obmedzenie dĺžky
// Validácia prípony, ak je zoznam povolený
if (
$allowedExtensions
&& count($allowedExtensions) > 0
&& !in_array($extension, $allowedExtensions)
) {
$extension = 'bin'; // fallback ak prípona nie je povolená
}
return $name . '.' . $extension;
}
/**
* Update report attachment
*
@ -236,7 +256,7 @@ class API extends APIlite
->toArray();
if (is_array($all)) foreach ($all as $key => $row) {
if ($all[$key]['attachment_type'] == 'file') {
$all[$key]['attachment_content'] = UPLOAD_URL_ATTACHMENTS . $all[$key]['attachment_content'];
$all[$key]['attachment_content'] = '?action=attachmentDownload&filename=' . $all[$key]['attachment_content'];
}
}
return $all;
@ -254,4 +274,28 @@ class API extends APIlite
$suc = $attachments->attachment($attachment_id, null);
return $suc !== false;
}
/**
* Download report attachment
*
* @param string $filename
*
* @return void
*/
public function attachmentDownload(string $filename): void {
$filename = $this->sanitizeFilename($filename);
$filename = UPLOAD_DIR_ATTACHMENTS . $filename;
if (file_exists($filename)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . basename($filename) . '"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filename));
readfile($filename);
exit;
}
}
}