Greetings,
I wish to share this so called "hack" here with all the Chrono forms lovers.
The problem I ran through is not chrono forms oriented, it is a limitation in joomla "JFile::makeSafe()" file input sanitizer function.
I created a form with file upload filed, everything works great, file uploads with no issues. The only thing I noticed is when attempting to upload files with names containing none English characters such as (Arabic,Chinese, Greek...etc). The resulted uploaded file name produced by chrono form will be truncated containing only time stamp part, in the form
"20101128140952_.doc" for example.
I investigated the issue and went through the file upload handler file code "components/com_chronocontact/libraries/chronoformuploads.php"
The issue turned out to be caused by the "JFile::makeSafe" function call
Calling this joomla function is necessary to secure joomla from suspicious file-naming uploads that might be considered hacking attempts, filtering out harmful character combinations.
The "JFile::makeSafe()" function only accepts ascii names, which means that non-ascii or Unicode file names will be filtered out and you end up with a file that has no name!!.
To work a round this limitation, I used the proposed solution at http://forum.joomla.org/viewtopic.php?p=2075458
Here how it goes:
open file
replace the following code chunk (from line 92 to line 95)
with this hacked version
save the file and try to upload your non-ascii named file.
Try at your own risk 😀 !!!
I wish to share this so called "hack" here with all the Chrono forms lovers.
The problem I ran through is not chrono forms oriented, it is a limitation in joomla "JFile::makeSafe()" file input sanitizer function.
I created a form with file upload filed, everything works great, file uploads with no issues. The only thing I noticed is when attempting to upload files with names containing none English characters such as (Arabic,Chinese, Greek...etc). The resulted uploaded file name produced by chrono form will be truncated containing only time stamp part, in the form
"20101128140952_.doc" for example.
I investigated the issue and went through the file upload handler file code "components/com_chronocontact/libraries/chronoformuploads.php"
The issue turned out to be caused by the "JFile::makeSafe" function call
$chronofile['name'] = JFile::makeSafe($chronofile['name']);Calling this joomla function is necessary to secure joomla from suspicious file-naming uploads that might be considered hacking attempts, filtering out harmful character combinations.
The "JFile::makeSafe()" function only accepts ascii names, which means that non-ascii or Unicode file names will be filtered out and you end up with a file that has no name!!.
To work a round this limitation, I used the proposed solution at http://forum.joomla.org/viewtopic.php?p=2075458
Here how it goes:
open file
components/com_chronocontact/libraries/chronoformuploads.php
replace the following code chunk (from line 92 to line 95)
$chronofile['name'] = JFile::makeSafe($chronofile['name']);
$original_name = $chronofile['tmp_name'];
ob_start();
eval( $MyForm->formparams('filename_format', "\$filename = date('YmdHis').'_'.\$chronofile['name'];") );['name'] = JFile::makeSafe($chronofile['name']);with this hacked version
//$chronofile['name'] = JFile::makeSafe($chronofile['name']);
//adding unicode safe file check
$string = $chronofile['name'] ;
function stringURLSafe($string)
{
//replace double byte whitespaces to single byte
$str = preg_replace('/\xE3\x80\x80/', ' ', $string);
// remove any '-' from the string as they will be used as concatenator.
$str = str_replace('-', ' ', $str);
//replace forbidden characters by whitespaces
//$str = preg_replace($forbidden,' ', $str);
$str = preg_replace( '#[:\#\*"@+=;!&%\.\]\/\'\\\\|\[]#',"\x20", $str );
//delete all '?'
$str = str_replace('?', '', $str);
//trim white spaces at beginning and end of alias
$str = trim( $str );
// remove any duplicate whitespace and replace whitespaces by hyphens
$str =preg_replace('#\x20+#','-', $str);
return $str;
}
////
$original_name = $chronofile['tmp_name'];
ob_start();
eval( $MyForm->formparams('filename_format', "\$filename = date('YmdHis').'_'.\$str;") );
save the file and try to upload your non-ascii named file.
Try at your own risk 😀 !!!