3-in-1 bugfix commit:

1) TErrorHandler: avoid an error when trying to hide the file path of a lambda function
2) TSecurityManager: avoid a race condition when first generating the encryptionkey or the validationkey
3) TActiveFileUpload: urlencode the base64'ed token since it can contain the "+" character (otherway it would be traslated to a space)

1 files changed, 2 insertions, 2 deletions

diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
index 98a7f422..1a49c20d 100755
--- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php
+++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
@@ -233,7 +233,7 @@ EOS;
 		if ($mgr = Prado::getApplication()->getSecurityManager())
 			{
 				// this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key
-				$token = base64_encode($mgr->encrypt(serialize($params)));
+				$token = urlencode(base64_encode($mgr->encrypt(serialize($params))));
 			}
 		else
 			throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely');
@@ -253,7 +253,7 @@ EOS;
 		else
 		if ($mgr = Prado::getApplication()->getSecurityManager())
 			{
-				$v = $mgr->decrypt(base64_decode($token));
+				$v = $mgr->decrypt(base64_decode(urldecode($token)));
 				$params = unserialize($v);
 			}
 		else