relative+cleaned paths

moodle · Aug 29, 2006 · 2a05e82 · 2a05e82
1 parent 68905e2
commit 2a05e82
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 24 deletions.
diff --git a/admin/xmldb/actions/delete_field/delete_field.class.php b/admin/xmldb/actions/delete_field/delete_field.class.php
@@ -63,8 +63,8 @@ function invoke() {
     /// Do the job, setting result as needed
 
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
         $tableparam = required_param('table', PARAM_CLEAN);
         $fieldparam = required_param('field', PARAM_CLEAN);
 
@@ -77,11 +77,11 @@ function invoke() {
             $o.= '    <p align="center">' . $this->str['confirmdeletefield'] . '<br /><br />' . $fieldparam . '</p>';
             $o.= '    <table align="center" cellpadding="20"><tr><td>';
             $o.= '      <div class="singlebutton">';
-            $o.= '        <form action="index.php?action=delete_field&amp;confirmed=yes&amp;postaction=edit_table&amp;field=' . $fieldparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode($dirpath) . '" method="post">';
+            $o.= '        <form action="index.php?action=delete_field&amp;confirmed=yes&amp;postaction=edit_table&amp;field=' . $fieldparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post">';
             $o.= '          <input type="submit" value="'. $this->str['yes'] .'" /></form></div>';
             $o.= '      </td><td>';
             $o.= '      <div class="singlebutton">';
-            $o.= '        <form action="index.php?action=edit_table&amp;table=' . $tableparam . '&amp;dir=' . urlencode($dirpath) . '" method="post">';
+            $o.= '        <form action="index.php?action=edit_table&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post">';
             $o.= '          <input type="submit" value="'. $this->str['no'] .'" /></form></div>';
             $o.= '      </td></tr>';
             $o.= '    </table>';

diff --git a/admin/xmldb/actions/edit_field/edit_field.class.php b/admin/xmldb/actions/edit_field/edit_field.class.php
@@ -65,8 +65,8 @@ function invoke() {
 
     /// Do the job, setting result as needed
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dirs
         if (!empty($XMLDB->dbdirs)) {
@@ -99,7 +99,7 @@ function invoke() {
 
     /// Add the main form
         $o = '<form name="form" id="form" action="index.php" method="post">';
-        $o.= '    <input type="hidden" name ="dir" value="' . $dirpath . '" />';
+        $o.= '    <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
         $o.= '    <input type="hidden" name ="table" value="' . $tableparam .'" />';
         $o.= '    <input type="hidden" name ="field" value="' . $fieldparam .'" />';
         $o.= '    <input type="hidden" name ="action" value="edit_field_save" />';
@@ -175,18 +175,18 @@ function invoke() {
         $b = ' <p align="center" class="buttons">';
     /// The view original XML button
         if ($table->getField($fieldparam)) {
-            $b .= '&nbsp;<a href="index.php?action=view_field_xml&amp;dir=' . urlencode($dirpath) . '&amp;select=original&amp;table=' . $tableparam . '&amp;field=' . $fieldparam . '" target="_blank">[' . $this->str['vieworiginal'] . ']</a>';
+            $b .= '&nbsp;<a href="index.php?action=view_field_xml&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '&amp;select=original&amp;table=' . $tableparam . '&amp;field=' . $fieldparam . '" target="_blank">[' . $this->str['vieworiginal'] . ']</a>';
         } else {
             $b .= '&nbsp;[' . $this->str['vieworiginal'] . ']';
         }
     /// The view edited XML button
         if ($field->hasChanged()) {
-            $b .= '&nbsp;<a href="index.php?action=view_field_xml&amp;dir=' . urlencode($dirpath) . '&amp;select=edited&amp;table=' . $tableparam . '&amp;field=' . $fieldparam . '" target="_blank">[' . $this->str['viewedited'] . ']</a>';
+            $b .= '&nbsp;<a href="index.php?action=view_field_xml&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '&amp;select=edited&amp;table=' . $tableparam . '&amp;field=' . $fieldparam . '" target="_blank">[' . $this->str['viewedited'] . ']</a>';
         } else {
             $b .= '&nbsp;[' . $this->str['viewedited'] . ']';
         }
     /// The back to edit table button
-        $b .= '&nbsp;<a href="index.php?action=edit_table&amp;table=' . $tableparam . '&amp;dir=' . urlencode($dirpath) . '">[' . $this->str['back'] . ']</a>';
+        $b .= '&nbsp;<a href="index.php?action=edit_table&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['back'] . ']</a>';
         $b .= '</p>';
         $o .= $b;
 

diff --git a/admin/xmldb/actions/edit_table_save/edit_table_save.class.php b/admin/xmldb/actions/edit_table_save/edit_table_save.class.php
@@ -65,6 +65,10 @@ function invoke() {
 
     /// Do the job, setting result as needed
 
+        if (!data_submitted('nomatch')) { ///Basic prevention
+            error('Wrong action call');
+        }
+
     /// Get parameters
         $dirpath = required_param('dir', PARAM_PATH);
         $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);

diff --git a/admin/xmldb/actions/move_updown_field/move_updown_field.class.php b/admin/xmldb/actions/move_updown_field/move_updown_field.class.php
@@ -61,8 +61,8 @@ function invoke() {
 
     /// Do the job, setting result as needed
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dirs
         if (!empty($XMLDB->dbdirs)) {

diff --git a/admin/xmldb/actions/new_field/new_field.class.php b/admin/xmldb/actions/new_field/new_field.class.php
@@ -61,8 +61,8 @@ function invoke() {
 
     /// Do the job, setting result as needed
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dirs
         if (!empty($XMLDB->dbdirs)) {

diff --git a/admin/xmldb/actions/view_field_xml/view_field_xml.class.php b/admin/xmldb/actions/view_field_xml/view_field_xml.class.php
@@ -61,12 +61,12 @@ function invoke() {
     /// Do the job, setting result as needed
 
     /// Get the file parameter
-        $field =  required_param('field', PARAM_CLEAN);
-        $table =  required_param('table', PARAM_CLEAN);
+        $field =  required_param('field', PARAM_PATH);
+        $table =  required_param('table', PARAM_PATH);
         $select = required_param('select', PARAM_ALPHA); //original/edited
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dir
         if ($select == 'original') {

diff --git a/admin/xmldb/actions/view_table_sql/view_table_sql.class.php b/admin/xmldb/actions/view_table_sql/view_table_sql.class.php
@@ -62,8 +62,8 @@ function invoke() {
 
     /// Do the job, setting result as needed
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dirs
         if (!empty($XMLDB->dbdirs)) {
@@ -78,12 +78,12 @@ function invoke() {
     /// ADD YOUR CODE HERE
 
     /// Get parameters
-        $tableparam = required_param('table', PARAM_CLEAN);
+        $tableparam = required_param('table', PARAM_PATH);
         if (!$table =& $structure->getTable($tableparam)) {
             $this->errormsg = 'Wrong table specified: ' . $tableparm;
             return false;
         }
-        $generatorparam = optional_param('generator', null, PARAM_CLEAN);
+        $generatorparam = optional_param('generator', null, PARAM_ALPHANUM);
         if (empty($generatorparam)) {
             $generatorparam = $CFG->dbtype;
         }
@@ -101,15 +101,15 @@ function invoke() {
 
         /// The back to edit table button
         $b = ' <p align="center" class="buttons">';
-        $b .= '<a href="index.php?action=edit_table&amp;table=' . $tableparam . '&amp;dir=' . urlencode($dirpath) . '">[' . $this->str['back'] . ']</a>';
+        $b .= '<a href="index.php?action=edit_table&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['back'] . ']</a>';
         $b .= '</p>';
         $o = $b;
 
         $o.= '    <table id="formelements" align="center" cellpadding="5">';
         $o.= '      <tr><td align="center">' . $this->str['selectdb'];
 
     /// Show the popup of generators
-        $url = 'index.php?action=view_table_sql&amp;table=' . $tableparam . '&amp;dir=' . urlencode($dirpath) . '&amp;generator=';
+        $url = 'index.php?action=view_table_sql&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '&amp;generator=';
         $o.= popup_form($url, $generators, 'selectgenerator', $generatorparam, '', '', '' , true);
         $o.= '      </td></tr>';
         $o.= '      <tr><td><textarea cols="80" rows="32">';