With the plgVmOnUserInvoice trigger in orders.php, the shop owner is now given a possibility to modify the invoice number of an invoice. By default the invoice number consists entirely of numbers, but a customized invoice number might look like "[year]/#", e.g. 2012/124.
Unfortunately, the filename for the PDF invoice takes the invoice number verbatim and includes it in the filename (components/com_virtuemart/controllers/invoice.php):
$path .= 'vminvoice_'.$invoiceNumber.'.pdf';
This will break if the user changes the invoice number to contain e.g. a slash. This is not just a hypothetical situation, but a very real possibility with my ordernumber plugin (http://open-tools.net/virtuemart-2-extensions.html)
Attached is a patch (relative to current svn trunk), which allows only uppercase and lowercase letters, numbers, underscore, hyphens and dots in the filename. All other characters (really problematic are /, \, ", : on Windows machines; but to be on the safe side, I think it's better to disallow practically all special chars) are replaced by an underscore:
$path .= preg_replace('/[^A-Za-z0-9_\-\.]/', '_', 'vminvoice_'.$invoiceNumber.'.pdf');
Cheers,
Reinhold
PS: Is this forum the correct place to send patches for Virtuemart 2?
[attachment cleanup by admin]
Yes, but as you can see there is a lot activity and sometimes nice posts are not seen.
Thanks for the patch, added.