Permalink
Browse files

Latest patches from skodak included in param functions.

Simple and double quotes are out now.
Full paths in unzip are now hidden too.

Please test it. It could have some pending changes yet!
  • Loading branch information...
1 parent 882a125 commit 27974c8587ace78f708074a617fb42299dfc05c4 stronk7 committed Oct 16, 2004
Showing with 12 additions and 6 deletions.
  1. +12 −6 lib/moodlelib.php
View
@@ -113,13 +113,19 @@ function clean_param($param, $options) {
}
if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
- $param = eregi_replace('\.\.+', '', $param);
- // TO BE EXPANDED WITH MORE CHECKS
+ $param = str_replace('\\', '/', $param);
+ $param = basename($param);
+ $param = ereg_replace('\.\.+', '', $param);
+ $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+ if ($param === '.' or $param === ' ') {
+ $param = '';
+ }
}
if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
- $param = eregi_replace('\.\.+', '', $param);
- // TO BE EXPANDED WITH MORE CHECKS
+ $param = str_replace('\\', '/', $param);
+ $param = ereg_replace('\.\.+', '', $param);
+ $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
}
return $param;
@@ -3120,7 +3126,7 @@ function mtrace($string, $eol="\n") {
flush();
}
-//Replace 2 or more slashes to one
+//Replace 1 or more slashes or backslashes to 1 slash
function cleardoubleslashes ($path) {
return preg_replace('/(\/|\\\){1,}/','/',$path);
}
@@ -3344,7 +3350,7 @@ function unzip_show_status ($list,$removepath) {
print_simple_box_start("center");
echo "<PRE>";
foreach ($list as $item) {
- echo $item.'<br />';
+ echo str_replace(cleardoubleslashes($removepath.'/'), '', $item).'<br />';
}
echo "</PRE>";
print_simple_box_end();

0 comments on commit 27974c8

Please sign in to comment.