Permalink
Browse files

updated parameter cleaning, preparation for new file.php SC#5

  • Loading branch information...
1 parent 37ac5df commit 175885e3fffbe3a98b119f55dc8d86959ae1ab5f skodak committed Nov 19, 2004
Showing with 10 additions and 6 deletions.
  1. +10 −6 lib/moodlelib.php
View
@@ -113,19 +113,23 @@ function clean_param($param, $options) {
}
if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
- $param = str_replace('\\', '/', $param);
- $param = basename($param);
- $param = ereg_replace('\.\.+', '', $param);
- $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+ $param = clean_param($param, PARAM_PATH);
+ $pos = strrpos($param,'/');
+ if ($pos !== FALSE) {
+ $param = substr($param, $pos+1);
+ }
if ($param === '.' or $param === ' ') {
$param = '';
- }
+ }
}
if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
+ $param = str_replace('\\\'', '\'', $param);
+ $param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
+ $param = ereg_replace('[[:cntrl:]]|[<>"`\|\']', '', $param);
$param = ereg_replace('\.\.+', '', $param);
- $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+ $param = ereg_replace('//+', '/', $param);
}
return $param;

0 comments on commit 175885e

Please sign in to comment.