From d840107832b1f59a9fc3b93ffb97ef976be1b83c Mon Sep 17 00:00:00 2001 From: "ctrlaltca@gmail.com" <> Date: Thu, 17 Nov 2011 16:52:56 +0000 Subject: 3-in-1 bugfix commit: 1) TErrorHandler: avoid an error when trying to hide the file path of a lambda function 2) TSecurityManager: avoid a race condition when first generating the encryptionkey or the validationkey 3) TActiveFileUpload: urlencode the base64'ed token since it can contain the "+" character (otherway it would be traslated to a space) --- framework/Web/UI/ActiveControls/TActiveFileUpload.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'framework/Web') diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php index 98a7f422..1a49c20d 100755 --- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php +++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php @@ -233,7 +233,7 @@ EOS; if ($mgr = Prado::getApplication()->getSecurityManager()) { // this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key - $token = base64_encode($mgr->encrypt(serialize($params))); + $token = urlencode(base64_encode($mgr->encrypt(serialize($params)))); } else throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely'); @@ -253,7 +253,7 @@ EOS; else if ($mgr = Prado::getApplication()->getSecurityManager()) { - $v = $mgr->decrypt(base64_decode($token)); + $v = $mgr->decrypt(base64_decode(urldecode($token))); $params = unserialize($v); } else -- cgit v1.2.3