[geeklog-devel] Problem in downloader class

Vincent Furia vfuria at gmail.com
Sat Oct 9 23:50:47 EDT 2004


Tony,

Found a problem in the downloader class that is/was preventing the PDF
view function from working.

Note this code:

if(!is_file(($this->_sourceDirectory . $fileName)) OR
    (dirname($this->_sourceDirectory) <>
dirname(realpath($this->_sourceDirectory . $fileName)))) {
    $this->_addError('Specified file ' . $this->_sourceDirectory .
$fileName . ' does not exist or is not accessible');
    return false;
}

Specifically this:
(dirname($this->_sourceDirectory) <>
dirname(realpath($this->_sourceDirectory . $fileName)))
doesn't work because of dirname($this->_sourceDirectory).  Note from
the php manual:
----------------PHP MANUAL-----------------
Doc : « Given a string containing a path to a file »
You _must_ specify a filename. Take care if you don't do that...
<?php
   echo dirname('/folder/anotherone/') ;
?>
... will output "/folder" and not "/folder/anotherone"
----------------PHP MANUAL-----------------

I have put a fix in, but I would like some you to review it to make
sure I haven't messed something else up.

Also, I noticed that if a story doesn't have anonymous permissions you
can't generate a pdf of it even if you have permissions to view the
story.  On top of that "pdf_adhoc_enabled" has to be set to true for
non-Root users to be able to generate/view pdfs.  But that means they
can generate pdfs of __any___ site, which just seems ripe for abuse
(how many pdfs can I generate on your server? That is one way to do a
DOS.).  In any case, even with "pdf_adhoc_enabled" set to false, so
that users can't generate pdfs, they can still see the pdf icons on
stories...

I don't think this is how we should implement the pdf feature.  A
better way would be to generate the pdf when the story is saved, and
the give access to the pdf to anyone who has access to the story. 
Since we want to get 1.3.10rc1 out soon, we may want to consider
pushing this off til the next release, rc2, or maybe a patch on 1.3.10
final...

-Vinny



More information about the geeklog-devel mailing list