[PATCH] Invoice filename should not contain special chars

[reinhold]

With the plgVmOnUserInvoice trigger in orders.php, the shop owner is now given a possibility to modify the invoice number of an invoice. By default the invoice number consists entirely of numbers, but a customized invoice number might look like "[year]/#", e.g. 2012/124.

Unfortunately, the filename for the PDF invoice takes the invoice number verbatim and includes it in the filename (components/com_virtuemart/controllers/invoice.php):

Code Select Expand

$path .= 'vminvoice_'.$invoiceNumber.'.pdf';

This will break if the user changes the invoice number to contain e.g. a slash. This is not just a hypothetical situation, but a very real possibility with my ordernumber plugin (http://open-tools.net/virtuemart-2-extensions.html)

Attached is a patch (relative to current svn trunk), which allows only uppercase and lowercase letters, numbers, underscore, hyphens and dots in the filename. All other characters (really problematic are /, \, ", : on Windows machines; but to be on the safe side, I think it's better to disallow practically all special chars) are replaced by an underscore:

Code Select Expand


$path .= preg_replace('/[^A-Za-z0-9_\-\.]/', '_', 'vminvoice_'.$invoiceNumber.'.pdf');


Cheers,
Reinhold

PS: Is this forum the correct place to send patches for Virtuemart 2?

[attachment cleanup by admin]

[Milbo]

Yes, but as you can see there is a lot activity and sometimes nice posts are not seen.

Thanks for the patch, added.