How to remove sanitize from Opencart downloads

Question

I am developing a module for my client to upload and browse file in Opencart. when I am uploading file from my back-end server I am getting the output as file.zip.xyzasdf. Where I just want to remove this .xyzasdf Can any one suggest me how to remove sanitize from the following code...

public function upload() {
    $this->load->language('catalog/download');

    $json = array();

    // Check user has permission
    if (!$this->user->hasPermission('modify', 'catalog/download')) {
        $json['error'] = $this->language->get('error_permission');
    }

    if (!$json) {
        if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name'])) {
            // Sanitize the filename
            $filename = basename(html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8'));

            // Validate the filename length
            if ((utf8_strlen($filename) < 3) || (utf8_strlen($filename) > 128)) {
                $json['error'] = $this->language->get('error_filename');
            }

            // Allowed file extension types
            $allowed = array();

            $extension_allowed = preg_replace('~\r?\n~', "\n", $this->config->get('config_file_ext_allowed'));

            $filetypes = explode("\n", $extension_allowed);

            foreach ($filetypes as $filetype) {
                $allowed[] = trim($filetype);
            }

            if (!in_array(strtolower(substr(strrchr($filename, '.'), 1)), $allowed)) {
                $json['error'] = $this->language->get('error_filetype');
            }

            // Allowed file mime types
            $allowed = array();

            $mime_allowed = preg_replace('~\r?\n~', "\n", $this->config->get('config_file_mime_allowed'));

            $filetypes = explode("\n", $mime_allowed);

            foreach ($filetypes as $filetype) {
                $allowed[] = trim($filetype);
            }

            if (!in_array($this->request->files['file']['type'], $allowed)) {
                $json['error'] = $this->language->get('error_filetype');
            }

            // Check to see if any PHP files are trying to be uploaded
            $content = file_get_contents($this->request->files['file']['tmp_name']);

            if (preg_match('/\<\?php/i', $content)) {
                $json['error'] = $this->language->get('error_filetype');
            }

            // Return any upload error
            if ($this->request->files['file']['error'] != UPLOAD_ERR_OK) {
                $json['error'] = $this->language->get('error_upload_' . $this->request->files['file']['error']);
            }
        } else {
            $json['error'] = $this->language->get('error_upload');
        }
    }

    if (!$json) {
        $file = $filename . '.' . token(32);

        move_uploaded_file($this->request->files['file']['tmp_name'], DIR_FOLDER . $file);

        $json['filename'] = $file;
        $json['mask'] = $filename;

        $json['success'] = $this->language->get('text_upload');
    }

    $this->response->addHeader('Content-Type: application/json');
    $this->response->setOutput(json_encode($json));
}

Any help would be greatly appreciated... Thanks

Answer 1

Removing the random string that is added to the filename is simple. Just change

move_uploaded_file($this->request->files['file']['tmp_name'], DIR_UPLOAD . $file);

to:

move_uploaded_file($this->request->files['file']['tmp_name'], DIR_UPLOAD . $filename);

But keep in mind that this will bring problems. OpenCart saves the random string in the database at the time of file upload, so it will later use it to identify the file. If you delete this feature, the uploaded files in the admin panel will not be available.