Author Topic: [PATCH] Invoice filename should not contain special chars  (Read 1148 times)


  • 3rd party VirtueMart Developer
  • Jr. Member
  • *
  • Posts: 204
[PATCH] Invoice filename should not contain special chars
« on: November 16, 2012, 15:14:46 pm »
With the plgVmOnUserInvoice trigger in orders.php, the shop owner is now given a possibility to modify the invoice number of an invoice. By default the invoice number consists entirely of numbers, but a customized invoice number might look like "[year]/#", e.g. 2012/124.

Unfortunately, the filename for the PDF invoice takes the invoice number verbatim and includes it in the filename (components/com_virtuemart/controllers/invoice.php):

Code: [Select]
$path .= 'vminvoice_'.$invoiceNumber.'.pdf';
This will break if the user changes the invoice number to contain e.g. a slash. This is not just a hypothetical situation, but a very real possibility with my ordernumber plugin (

Attached is a patch (relative to current svn trunk), which allows only uppercase and lowercase letters, numbers, underscore, hyphens and dots in the filename. All other characters (really problematic are /, \, ", : on Windows machines; but to be on the safe side, I think it's better to disallow practically all special chars) are replaced by an underscore:
Code: [Select]
$path .= preg_replace('/[^A-Za-z0-9_\-\.]/', '_', 'vminvoice_'.$invoiceNumber.'.pdf');


PS: Is this forum the correct place to send patches for Virtuemart 2?

[attachment cleanup by admin]


  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10017
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: [PATCH] Invoice filename should not contain special chars
« Reply #1 on: December 17, 2012, 17:23:21 pm »
Yes, but as you can see there is a lot activity and sometimes nice posts are not seen.

Thanks for the patch, added.
I should fix your bug, please support the VirtueMart project and become a member
Extensions approved by the core team: