From c9774f83d2559caac6373f75f8c2e966c194db81 Mon Sep 17 00:00:00 2001
From: Dusan Vuckovic <dusan.vuckovic@otrs.com>
Date: Tue, 9 Oct 2018 13:52:44 +0100
Subject: [PATCH] Improved upload cache module.

---
 CHANGES.md                          |  1 +
 Kernel/System/Web/UploadCache/FS.pm | 32 ++++++++++++++-
 scripts/test/WebUploadCache.t       | 63 +++++++++++++++++++++++++++++
 3 files changed, 94 insertions(+), 2 deletions(-)

--- a/Kernel/System/Web/UploadCache/FS.pm
+++ b/Kernel/System/Web/UploadCache/FS.pm
@@ -54,6 +54,8 @@ sub FormIDRemove {
         return;
     }
 
+    return if !$Self->_FormIDValidate( $Param{FormID} );
+
     # get main object
     my $MainObject = $Kernel::OM->Get('Kernel::System::Main');
 
@@ -85,6 +87,8 @@ sub FormIDAddFile {
         }
     }
 
+    return if !$Self->_FormIDValidate( $Param{FormID} );
+
     # create content id
     my $ContentID = $Param{ContentID};
     my $Disposition = $Param{Disposition} || '';
@@ -144,6 +148,8 @@ sub FormIDRemoveFile {
         }
     }
 
+    return if !$Self->_FormIDValidate( $Param{FormID} );
+
     my @Index = @{ $Self->FormIDGetAllFilesMeta(%Param) };
 
     # finish if files have been already removed by other process
@@ -186,6 +192,10 @@ sub FormIDGetAllFilesData {
         return;
     }
 
+    my @Data;
+
+    return \@Data if !$Self->_FormIDValidate( $Param{FormID} );
+
     # get main object
     my $MainObject = $Kernel::OM->Get('Kernel::System::Main');
 
@@ -195,7 +205,6 @@ sub FormIDGetAllFilesData {
     );
 
     my $Counter = 0;
-    my @Data;
 
     FILE:
     for my $File (@List) {
@@ -283,6 +292,10 @@ sub FormIDGetAllFilesMeta {
         return;
     }
 
+    my @Data;
+
+    return \@Data if !$Self->_FormIDValidate( $Param{FormID} );
+
     # get main object
     my $MainObject = $Kernel::OM->Get('Kernel::System::Main');
 
@@ -292,7 +305,6 @@ sub FormIDGetAllFilesMeta {
     );
 
     my $Counter = 0;
-    my @Data;
 
     FILE:
     for my $File (@List) {
@@ -388,6 +400,22 @@ sub FormIDCleanUp {
     }
 
     return 1;
+}
+
+sub _FormIDValidate {
+    my ( $Self, $FormID ) = @_;
+
+    return if !$FormID;
+
+    if ( $FormID !~ m{^ \d+ \. \d+ \. \d+ $}xms ) {
+        $Kernel::OM->Get('Kernel::System::Log')->Log(
+            Priority => 'error',
+            Message  => 'Invalid FormID!',
+        );
+        return;
+    }
+
+    return 1;
 }
 
 1;
--- a/scripts/test/WebUploadCache.t
+++ b/scripts/test/WebUploadCache.t
@@ -47,6 +47,8 @@ for my $Module (qw(DB FS)) {
         "#$Module - FormIDCreate()",
     );
 
+    my $InvalidFormID = $Helper->GetRandomID();
+
     # file checks
     for my $File (qw(xls txt doc png pdf)) {
 
@@ -89,6 +91,22 @@ for my $Module (qw(DB FS)) {
             "#$Module - FormIDAddFile() - ." . $File,
         );
 
+        if ( $Module eq 'FS' ) {
+            my $Add = $UploadCacheObject->FormIDAddFile(
+                FormID      => $InvalidFormID,
+                Filename    => 'UploadCache Test1äöüß.' . $File,
+                Content     => $Content,
+                ContentType => 'text/html',
+                ContentID   => $ContentID,
+                Disposition => $Disposition,
+            );
+
+            $Self->False(
+                $Add // 0,
+                "#$Module - FormIDAddFile() - Invalid FormID"
+            );
+        }
+
         my @Data = $UploadCacheObject->FormIDGetAllFilesData(
             FormID => $FormID,
         );
@@ -140,6 +158,19 @@ for my $Module (qw(DB FS)) {
                 "#$Module - FormIDGetAllFilesMeta() - Disposition ." . $File,
             );
         }
+
+        if ( $Module eq 'FS' ) {
+            my $Delete = $UploadCacheObject->FormIDRemoveFile(
+                FormID => $InvalidFormID,
+                FileID => 1,
+            );
+
+            $Self->False(
+                $Delete // 0,
+                "#$Module - FormIDRemoveFile() - Invalid FormID"
+            );
+        }
+
         my $Delete = $UploadCacheObject->FormIDRemoveFile(
             FormID => $FormID,
             FileID => 1,
@@ -186,6 +217,17 @@ for my $Module (qw(DB FS)) {
             "#$Module - FormIDAddFile() - ." . $File,
         );
 
+        if ( $Module eq 'FS' ) {
+            my @Data = $UploadCacheObject->FormIDGetAllFilesData(
+                FormID => $InvalidFormID,
+            );
+
+            $Self->False(
+                @Data // 0,
+                "#$Module - FormIDGetAllFilesData() - Invalid FormID"
+            );
+        }
+
         my @Data = $UploadCacheObject->FormIDGetAllFilesData(
             FormID => $FormID,
         );
@@ -214,6 +256,18 @@ for my $Module (qw(DB FS)) {
                 "#$Module - FormIDGetAllFilesData() - Disposition ." . $File,
             );
         }
+
+        if ( $Module eq 'FS' ) {
+            my @Data = $UploadCacheObject->FormIDGetAllFilesMeta(
+                FormID => $InvalidFormID,
+            );
+
+            $Self->False(
+                @Data // 0,
+                "#$Module - FormIDGetAllFilesMeta() - Invalid FormID"
+            );
+        }
+
         @Data = $UploadCacheObject->FormIDGetAllFilesMeta( FormID => $FormID );
         if (@Data) {
             my %File = %{ $Data[$#Data] };
@@ -243,6 +297,15 @@ for my $Module (qw(DB FS)) {
         $Remove,
         "#$Module - FormIDRemove()",
     );
+
+    if ( $Module eq 'FS' ) {
+        my $Remove = $UploadCacheObject->FormIDRemove( FormID => $InvalidFormID );
+
+        $Self->False(
+            $Remove // 0,
+            "#$Module - FormIDRemove() - Invalid FormID"
+        );
+    }
 }
 
 # cleanup is done by RestoreDatabase