From d840107832b1f59a9fc3b93ffb97ef976be1b83c Mon Sep 17 00:00:00 2001
From: "ctrlaltca@gmail.com" <>
Date: Thu, 17 Nov 2011 16:52:56 +0000
Subject: 3-in-1 bugfix commit: 1) TErrorHandler: avoid an error when trying to
 hide the file path of a lambda function 2) TSecurityManager: avoid a race
 condition when first generating the encryptionkey or the validationkey 3)
 TActiveFileUpload: urlencode the base64'ed token since it can contain the "+"
 character (otherway it would be traslated to a space)

---
 framework/Web/UI/ActiveControls/TActiveFileUpload.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'framework/Web/UI')

diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
index 98a7f422..1a49c20d 100755
--- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php
+++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
@@ -233,7 +233,7 @@ EOS;
 		if ($mgr = Prado::getApplication()->getSecurityManager())
 			{
 				// this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key
-				$token = base64_encode($mgr->encrypt(serialize($params)));
+				$token = urlencode(base64_encode($mgr->encrypt(serialize($params))));
 			}
 		else
 			throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely');
@@ -253,7 +253,7 @@ EOS;
 		else
 		if ($mgr = Prado::getApplication()->getSecurityManager())
 			{
-				$v = $mgr->decrypt(base64_decode($token));
+				$v = $mgr->decrypt(base64_decode(urldecode($token)));
 				$params = unserialize($v);
 			}
 		else
-- 
cgit v1.2.3