Implements and fixes #7747. Import Excel: restrict reading to explicit named worksheets

7e7f9d55 · Carsten Rose · fb907848 · 7e7f9d55 · 7e7f9d55 · 7e7f9d55
Commit 7e7f9d55 authored Jan 26, 2019 by Carsten Rose
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
--- a/extension/Source/core/Constants.php
+++ b/extension/Source/core/Constants.php
@@ -337,6 +337,10 @@ const ERROR_DND_EMPTY_REORDER_SQL = 2700;
 // Form
 const ERROR_FORM_RESERVED_NAME = 2800;

+// Import (Excel, ODS, ...)
+const ERROR_IMPORT_MISSING_EXPLICIT_TYPE = 2900;
+const ERROR_IMPORT_LIST_SHEET_NAMES = 2901;
+
 //
 // Store Names: Identifier
 //
@@ -1040,6 +1044,10 @@ const FE_IMPORT_TYPE_XLS = 'xls';
 const FE_IMPORT_TYPE_XLSX = 'xlsx';
 const FE_IMPORT_TYPE_ODS = 'ods';
 const FE_IMPORT_TYPE_CSV = 'csv';
+const FE_IMPORT_NAMED_SHEETS_ONLY = 'importNamedSheetsOnly';
+const FE_IMPORT_READ_DATA_ONLY = 'importSetReadDataOnly';
+const FE_IMPORT_LIST_SHEET_NAMES = 'importListSheetNames';
+

 const FE_IMAGE_SOURCE = 'imageSource'; // Image source for a fabric element
 const FE_DEFAULT_PEN_COLOR = 'defaultPenColor'; // Default pen color for a fabric element

--- a/extension/Source/core/Save.php
+++ b/extension/Source/core/Save.php
@@ -369,7 +369,7 @@ class Save {
            }

            $column = $formElement[FE_NAME];
-            $pathFileName = $this->doUpload($formElement, ($formValues[$column]??''), $sip, $modeUpload);
+            $pathFileName = $this->doUpload($formElement, ($formValues[$column] ?? ''), $sip, $modeUpload);

            if ($modeUpload == UPLOAD_MODE_DELETEOLD && $pathFileName == '') {
                $pathFileNameTmp = '';  // see '4'
@@ -661,9 +661,25 @@ class Save {
     * @throws \PhpOffice\PhpSpreadsheet\Reader\Exception
     */
    private function doImport($formElement, $fileName) {
+        $importNamedSheetsOnly = array();

        Support::setIfNotSet($formElement, FE_IMPORT_TYPE, FE_IMPORT_TYPE_AUTO);

+        if (!empty($formElement[FE_IMPORT_NAMED_SHEETS_ONLY])) {
+            $importNamedSheetsOnly = explode(',', $formElement[FE_IMPORT_NAMED_SHEETS_ONLY]);
+        }
+
+        if ($formElement[FE_IMPORT_TYPE] === FE_IMPORT_TYPE_AUTO) {
+
+            $list = [FE_IMPORT_LIST_SHEET_NAMES, FE_IMPORT_READ_DATA_ONLY, FE_IMPORT_LIST_SHEET_NAMES];
+            foreach ($list as $token) {
+                if (isset($formElement[$token])) {
+                    throw new UserFormException('If ' . $token .
+                        ' is given, an explicit document type (like ' . FE_IMPORT_TYPE . '=xlsx) should be set.', ERROR_IMPORT_MISSING_EXPLICIT_TYPE);
+                }
+            }
+        }
+
        switch ($formElement[FE_IMPORT_TYPE]) {
            case FE_IMPORT_TYPE_AUTO:
                $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($fileName);
@@ -675,6 +691,23 @@ class Save {
            case FE_IMPORT_TYPE_ODS:
                $inputFileType = ucfirst($formElement[FE_IMPORT_TYPE]);
                $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);
+
+                // setReadDataOnly
+                if (($formElement[FE_IMPORT_READ_DATA_ONLY] ?? '0') != '0') {
+                    $reader->setReadDataOnly(true);
+                }
+
+                // setLoadSheetsOnly
+                if (!empty ($importNamedSheetsOnly)) {
+                    $reader->setLoadSheetsOnly($importNamedSheetsOnly);
+                }
+
+                if (($formElement[FE_IMPORT_LIST_SHEET_NAMES] ?? '0') != '0') {
+                    $sheetNames = $reader->listWorksheetNames($fileName);
+                    throw new UserFormException("Worksheets: " . implode(', ', $sheetNames),
+                        ERROR_IMPORT_LIST_SHEET_NAMES);
+                }
+
                $spreadsheet = $reader->load($fileName);
                break;

@@ -685,7 +718,7 @@ class Save {

        $tableName = $formElement[FE_IMPORT_TO_TABLE];
        $regions = OnArray::trimArray(explode('|', $formElement[FE_IMPORT_REGION] ?? ''));
-        $columnNames = OnArray::trimArray(explode(',', $formElement[FE_IMPORT_TO_COLUMNS]));
+        $columnNames = OnArray::trimArray(explode(',', $formElement[FE_IMPORT_TO_COLUMNS] ?? ''));
        $importMode = $formElement[FE_IMPORT_MODE] ?? FE_IMPORT_MODE_APPEND;

        foreach ($regions as $region) {
@@ -789,7 +822,8 @@ class Save {
     * @throws UserFormException
     * @throws UserReportException
     */
-    private function copyUploadFile(array $formElement, array $statusUpload) {
+    private
+    function copyUploadFile(array $formElement, array $statusUpload) {
        $pathFileName = '';

        if (!isset($statusUpload[FILES_TMP_NAME]) || $statusUpload[FILES_TMP_NAME] === '') {
@@ -852,7 +886,8 @@ class Save {
     * @throws UserFormException
     * @throws UserReportException
     */
-    private function autoOrient(array $formElement, $pathFileName) {
+    private
+    function autoOrient(array $formElement, $pathFileName) {

        // 'autoOrient' wished?
        if (!isset($formElement[FE_FILE_AUTO_ORIENT]) || $formElement[FE_FILE_AUTO_ORIENT] == '0') {
@@ -893,7 +928,8 @@ class Save {
     * @throws UserFormException
     * @throws UserReportException
     */
-    private function splitUpload(array $formElement, $pathFileName, $chmod, array $statusUpload) {
+    private
+    function splitUpload(array $formElement, $pathFileName, $chmod, array $statusUpload) {

        if (empty($formElement[FE_FILE_SPLIT]) || $statusUpload[FILES_TYPE] != MIME_TYPE_SPLIT_CAPABLE) {
            return;
@@ -1016,7 +1052,8 @@ class Save {
     * @throws UserFormException
     * @throws UserReportException
     */
-    private function doUploadSlave(array $fe, $modeUpload) {
+    private
+    function doUploadSlave(array $fe, $modeUpload) {
        $sql = '';
        $flagUpdateSlaveId = false;
        $flagSlaveDeleted = false;

--- a/extension/Source/core/sample.xlsx
+++ b/extension/Source/core/sample.xlsx