r2800 - addFileWithoutLink(): pass unescaped comment to commitAddFile() (ticket...

 - addFileToEntity(): idem

diff --git a/ChangeLog b/ChangeLog
index 1f8c67c..1571132 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 0.17.1
        bugfix: tags were not displayed on "File" page
+       bugfix: multiline comment for an added file was stored incorrectly
 0.17.0 2009-05-20
        new feature: file attachments (by Aaron)
        new feature: ability to delete objects (by Aaron)

diff --git a/inc/ophandlers.php b/inc/ophandlers.php
index 9879e6c..2ab4bca 100644 (file)
--- a/inc/ophandlers.php
+++ b/inc/ophandlers.php
@@ -1735,7 +1735,9 @@ function addFileWithoutLink ()
                return buildRedirectURL (__FUNCTION__, 'ERR', array ("file uploads not allowed, change 'file_uploads' parameter in php.ini"));
 
        $fp = fopen($_FILES['file']['tmp_name'], 'rb');
-       $error = commitAddFile ($_FILES['file']['name'], $_FILES['file']['type'], $_FILES['file']['size'], $fp, $_REQUEST['comment']);
+       global $sic;
+       // commitAddFile() uses prepared statements
+       $error = commitAddFile ($_FILES['file']['name'], $_FILES['file']['type'], $_FILES['file']['size'], $fp, $sic['comment']);
 
        if ($error != '')
                return buildRedirectURL (__FUNCTION__, 'ERR', array ($error));
@@ -1763,7 +1765,9 @@ function addFileToEntity ()
                return buildRedirectURL (__FUNCTION__, 'ERR2');
 
        $fp = fopen($_FILES['file']['tmp_name'], 'rb');
-       $error = commitAddFile ($_FILES['file']['name'], $_FILES['file']['type'], $_FILES['file']['size'], $fp, $_REQUEST['comment']);
+       global $sic;
+       // commitAddFile() uses prepared statements
+       $error = commitAddFile ($_FILES['file']['name'], $_FILES['file']['type'], $_FILES['file']['size'], $fp, $sic['comment']);
        if ($error != '')
                return buildRedirectURL (__FUNCTION__, 'ERR3', array ($error));