Permalink
Browse files

Strip control chars when unzipping.

  • Loading branch information...
1 parent dcf2a27 commit 4a6981940554eeae752e94008c993d0af17236ba stronk7 committed Oct 17, 2004
Showing with 1 addition and 0 deletions.
  1. +1 −0 lib/moodlelib.php
View
1 lib/moodlelib.php
@@ -3307,6 +3307,7 @@ function unzip_cleanfilename ($p_event, &$p_header) {
//This function is used as callback in unzip_file() function
//to clean illegal characters for given platform and to prevent directory traversal.
//Produces the same result as info-zip unzip.
+ $p_header['filename'] = ereg_replace('[[:cntrl:]]', '', $p_header['filename']); //strip control chars first!
$p_header['filename'] = ereg_replace('\.\.+', '', $p_header['filename']); //directory traversal protection
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$p_header['filename'] = ereg_replace('[:*"?<>|]', '_', $p_header['filename']); //replace illegal chars

0 comments on commit 4a69819

Please sign in to comment.