MDL-49167 YUI: Fix for theme/yui_combo.php and $CFG->yuislashargs

It was too aggressively cleaning it's params (broken in MDL-48980).
moodle · Feb 16, 2015 · 21929ef · 21929ef
1 parent cfab858
commit 21929ef
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/lib/configonlylib.php b/lib/configonlylib.php
@@ -168,9 +168,11 @@ function min_enable_zlib_compression() {
  * Note: ".php" is NOT allowed in slasharguments,
  *       it is intended for ASCII characters only.
  *
+ * @param boolean $clean - Should we do cleaning on this path argument. If you set this
+ *                         to false you MUST be very careful and do the cleaning manually.
  * @return string
  */
-function min_get_slash_argument() {
+function min_get_slash_argument($clean = true) {
     // Note: This code has to work in the same cases as normal get_file_argument(),
     //       but at the same time it may be simpler because we do not have to deal
     //       with encodings and other tricky stuff.
@@ -180,7 +182,12 @@ function min_get_slash_argument() {
     if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) {
         // Server is using url rewriting, most probably IIS.
         // Always clean the result of this function as it may be used in unsafe calls to send_file.
-        return min_clean_param($_GET['file'], 'SAFEPATH');
+        $relativepath = $_GET['file'];
+        if ($clean) {
+            $relativepath = min_clean_param($relativepath, 'SAFEPATH');
+        }
+
+        return $relativepath;
 
     } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) {
         if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') {
@@ -199,5 +206,8 @@ function min_get_slash_argument() {
     }
 
     // Always clean the result of this function as it may be used in unsafe calls to send_file.
-    return min_clean_param($relativepath, 'SAFEPATH');
+    if ($clean) {
+        $relativepath = min_clean_param($relativepath, 'SAFEPATH');
+    }
+    return $relativepath;
 }
diff --git a/theme/yui_combo.php b/theme/yui_combo.php
@@ -458,7 +458,7 @@ function combo_params() {
         // note: buggy or misconfigured IIS does return the query string in REQUEST_URI
         return array($_SERVER['QUERY_STRING'], false);
 
-    } else if ($slashargument = min_get_slash_argument()) {
+    } else if ($slashargument = min_get_slash_argument(false)) {
         $slashargument = ltrim($slashargument, '/');
         return array($slashargument, true);