7 * @link https://www.open-emr.org
8 * @author Jerry Padgett <sjpadgett@gmail.com>
9 * @copyright Copyright (c) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
10 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
13 require_once("../interface/globals.php");
15 if ($_POST['mode'] == 'get') {
16 $rebuilt = validateFile($_POST['docid']);
18 echo file_get_contents($rebuilt);
21 die(xlt('Invalid File'));
23 } elseif ($_POST['mode'] == 'save') {
24 $rebuilt = validateFile($_POST['docid']);
26 if (stripos($_POST['content'], "<?php") === false) {
27 file_put_contents($rebuilt, $_POST['content']);
30 die(xlt('Invalid Content'));
33 die(xlt('Invalid File'));
35 } elseif ($_POST['mode'] == 'delete') {
36 $rebuilt = validateFile($_POST['docid']);
41 die(xlt('Invalid File'));
46 if (!isset($_POST['up_dir'])) {
47 $UPLOAD_DIR = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/';
49 if ($_POST['up_dir'] > 0) {
50 $UPLOAD_DIR = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/' .
51 convert_safe_file_dir_name($_POST['up_dir']) . "/";
53 $UPLOAD_DIR = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/';
57 $UPLOAD_DIR .= !empty($_POST['doc_category']) ?
(convert_safe_file_dir_name($_POST['doc_category']) . "/") : "";
58 if (!is_dir($UPLOAD_DIR) && !mkdir($UPLOAD_DIR, 0755, true) && !is_dir($UPLOAD_DIR)) {
59 die("<p>" . xlt("Unable to import file: Use back button!") . "</p>");
62 if (!empty($_FILES["tplFile"])) {
63 $tplFile = $_FILES["tplFile"];
64 if ($tplFile["error"] !== UPLOAD_ERR_OK
) {
65 header("refresh:2;url= import_template_ui.php");
66 echo "<p>" . xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
69 // ensure a safe filename
70 $name = preg_replace("/[^A-Z0-9._-]/i", "_", $tplFile["name"]);
71 if (preg_match("/(.*)\.(php|php3|php4|php5|php7|php8)$/i", $name) !== 0) {
72 die(xlt('Executables not allowed'));
74 $parts = pathinfo($name);
75 $name = $parts["filename"] . '.tpl';
76 // don't overwrite an existing file
77 while (file_exists($UPLOAD_DIR . $name)) {
79 $newname = $parts["filename"] . "-" . $i . "." . $parts["extension"] . ".replaced";
80 rename($UPLOAD_DIR . $name, $UPLOAD_DIR . $newname);
83 // preserve file from temporary directory
84 $success = move_uploaded_file($tplFile["tmp_name"], $UPLOAD_DIR . $name);
86 echo "<p>" . xlt("Unable to save file: Use back button!") . "</p>";
90 // set proper permissions on the new file
91 chmod($UPLOAD_DIR . $name, 0644);
92 header("location: " . $_SERVER['HTTP_REFERER']);
96 function validateFile($filename = '')
98 $knownPath = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/'; // default path
99 $unknown = str_replace("\\", "/", realpath($filename)); // normalize requested path
100 $parts = pathinfo($unknown);
101 $unkParts = explode('/', $parts['dirname']);
102 $ptpid = $unkParts[count($unkParts) - 1]; // is this a patient or global template
103 $ptpid = ($ptpid == 'templates') ?
'' : ($ptpid . '/'); // last part should be pid or template
104 $rebuiltPath = $knownPath . $ptpid . $parts['filename'] . '.tpl';
105 if (file_exists($rebuiltPath) === false ||
$parts['extension'] != 'tpl') {
107 } elseif (realpath($rebuiltPath) != realpath($filename)) { // these need to match to be valid request
109 } elseif (stripos(realpath($filename), realpath($knownPath)) === false) { // this needs to pass be a valid request
118 header('HTTP/1.0 404 Not Found');
