remove edit note 2 (#1974)
[openemr.git] / portal / import_template.php
blob053961dd6139f9c702e373d3b51fc7f0edff743c
1 <?php
2 /**
4 * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
6 * LICENSE: This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU Affero General Public License as
8 * published by the Free Software Foundation, either version 3 of the
9 * License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Affero General Public License for more details.
16 * You should have received a copy of the GNU Affero General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 * @package OpenEMR
20 * @author Jerry Padgett <sjpadgett@gmail.com>
21 * @link http://www.open-emr.org
25 require_once("../interface/globals.php");
27 if ($_POST['mode'] == 'get') {
28 $rebuilt = validateFile($_POST['docid']);
29 if ($rebuilt) {
30 echo file_get_contents($rebuilt);
31 exit();
32 } else {
33 die(xlt('Invalid File'));
35 } else if ($_POST['mode'] == 'save') {
36 $rebuilt = validateFile($_POST['docid']);
37 if ($rebuilt) {
38 if (stripos($_POST['content'], "<?php") === false) {
39 file_put_contents($rebuilt, $_POST['content']);
40 exit(true);
41 } else {
42 die(xlt('Invalid Content'));
44 } else {
45 die(xlt('Invalid File'));
47 } else if ($_POST['mode'] == 'delete') {
48 $rebuilt = validateFile($_POST['docid']);
49 if ($rebuilt) {
50 unlink($rebuilt);
51 exit(true);
52 } else {
53 die(xlt('Invalid File'));
57 // so it is an import
58 if (!isset($_POST['up_dir'])) {
59 define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
60 } else {
61 if ($_POST['up_dir'] > 0) {
62 define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/' . convert_safe_file_dir_name($_POST['up_dir']) . '/');
63 } else {
64 define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
68 if (!empty($_FILES["tplFile"])) {
69 $tplFile = $_FILES["tplFile"];
71 if ($tplFile["error"] !== UPLOAD_ERR_OK) {
72 header("refresh:2;url= import_template_ui.php");
73 echo "<p>" . xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
74 exit;
77 // ensure a safe filename
78 $name = preg_replace("/[^A-Z0-9._-]/i", "_", $tplFile["name"]);
79 if (preg_match("/(.*)\.(php|php3|php4|php5|php7)$/i", $name) !== 0) {
80 die(xlt('Executables not allowed'));
82 $parts = pathinfo($name);
83 $name = $parts["filename"] . '.tpl';
84 // don't overwrite an existing file
85 while (file_exists(UPLOAD_DIR . $name)) {
86 $i = rand(0, 128);
87 $newname = $parts["filename"] . "-" . $i . "." . $parts["extension"] . ".replaced";
88 rename(UPLOAD_DIR . $name, UPLOAD_DIR . $newname);
91 // preserve file from temporary directory
92 $success = move_uploaded_file($tplFile["tmp_name"], UPLOAD_DIR . $name);
93 if (!$success) {
94 echo "<p>" . xlt("Unable to save file: Use back button!") . "</p>";
95 exit;
98 // set proper permissions on the new file
99 chmod(UPLOAD_DIR . $name, 0644);
100 header("location: " . $_SERVER['HTTP_REFERER']);
101 die();
104 function validateFile($filename = '')
106 $knownPath = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/'; // default path
107 $unknown = str_replace("\\", "/", realpath($filename)); // normalize requested path
108 $parts = pathinfo($unknown);
109 $unkParts = explode('/', $parts['dirname']);
110 $ptpid = $unkParts[count($unkParts) - 1]; // is this a patient or global template
111 $ptpid = ($ptpid == 'templates') ? '' : ($ptpid . '/'); // last part should be pid or template
112 $rebuiltPath = $knownPath . $ptpid . $parts['filename'] . '.tpl';
113 if (file_exists($rebuiltPath) === false || $parts['extension'] != 'tpl') {
114 redirect();
115 } elseif (realpath($rebuiltPath) != realpath($filename)) { // these need to match to be valid request
116 redirect();
117 } elseif (stripos(realpath($filename), realpath($knownPath)) === false) { // this needs to pass be a valid request
118 redirect();
121 return $rebuiltPath;
124 function redirect()
126 header('HTTP/1.0 404 Not Found');
127 die();