From 09d5afaa6be07688ca1a7ac3b755b5438109e986 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?= Date: Tue, 11 Apr 2023 18:45:04 +0200 Subject: [PATCH] Add microseconds to filename format to make it harder to predict --- CHANGES.md | 1 + ProgramFunctions/FileUpload.fnc.php | 3 ++- modules/Accounting/functions.inc.php | 3 ++- modules/School_Setup/PortalNotes.php | 14 +++++++++++++- modules/Student_Billing/functions.inc.php | 3 ++- 5 files changed, 20 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e912eaa70..c1de5f240 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,7 @@ Changes in 11.0 - Translate "Zip" & "Zipcode" to "Zip Code" in GetStuList.fnc.php, MyReport.php, Registration.fnc.php, Schools.php & Address.inc.php - HTML Text input min size is 2 in Inputs.php - Skip School Period column if has no students scheduled for selected date in Administration.php +- Add microseconds to filename format to make it harder to predict in FileUpload.fnc.php, Accounting/functions.php, PortalNotes.php & Student_Billing/functions.php Changes in 10.9.3 ----------------- diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php index 0c7eb2316..ed79c7f13 100644 --- a/ProgramFunctions/FileUpload.fnc.php +++ b/ProgramFunctions/FileUpload.fnc.php @@ -408,7 +408,8 @@ function FilesUploadUpdate( $table, $request, $path, $id = 0 ) mb_strrpos( $_FILES[ $input ]['name'], '.' ) ) ); - $file_name_no_ext .= '_' . date( 'Y-m-d_His' ); + // @since 11.0 Add microseconds to filename format to make it harder to predict. + $file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 ); $new_file = FileUpload( $input, diff --git a/modules/Accounting/functions.inc.php b/modules/Accounting/functions.inc.php index b55202c9e..555152c78 100644 --- a/modules/Accounting/functions.inc.php +++ b/modules/Accounting/functions.inc.php @@ -351,7 +351,8 @@ function _saveSalariesFile( $id ) mb_strrpos( $_FILES[ $input ]['name'], '.' ) ) ); - $file_name_no_ext .= '_' . date( 'Y-m-d_His' ); + // @since 11.0 Add microseconds to filename format to make it harder to predict. + $file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 ); $file_attached = FileUpload( $input, diff --git a/modules/School_Setup/PortalNotes.php b/modules/School_Setup/PortalNotes.php index eecf48734..79069a951 100644 --- a/modules/School_Setup/PortalNotes.php +++ b/modules/School_Setup/PortalNotes.php @@ -127,12 +127,24 @@ if ( isset( $_FILES['FILE_ATTACHED_FILE'] ) ) { + $file_name_no_ext = no_accents( mb_substr( + $_FILES['FILE_ATTACHED_FILE']['name'], + 0, + mb_strrpos( $_FILES['FILE_ATTACHED_FILE']['name'], '.' ) + ) ); + + // @since 11.0 Add microseconds to filename format to make it harder to predict. + $file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 ); + + // File attached to portal notes $columns['FILE_ATTACHED'] = FileUpload( 'FILE_ATTACHED_FILE', $PortalNotesFilesPath, FileExtensionWhiteList(), 0, - $error + $error, + '', + $file_name_no_ext ); // @since 6.8 Fix SQL error when quote in uploaded file name. diff --git a/modules/Student_Billing/functions.inc.php b/modules/Student_Billing/functions.inc.php index ea52e84f6..e36e075f3 100644 --- a/modules/Student_Billing/functions.inc.php +++ b/modules/Student_Billing/functions.inc.php @@ -429,7 +429,8 @@ function _saveFeesFile( $id ) mb_strrpos( $_FILES[ $input ]['name'], '.' ) ) ); - $file_name_no_ext .= '_' . date( 'Y-m-d_His' ); + // @since 11.0 Add microseconds to filename format to make it harder to predict. + $file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 ); $file_attached = FileUpload( $input,