Included fix by Jaime Villate posted Sunday, 8 May 2005, 10:45 PM

moodle · May 30, 2005 · 6036083 · 6036083
1 parent 220c143
commit 6036083
Showing 1 changed file with 7 additions and 42 deletions.
diff --git a/admin/langdoc.php b/admin/langdoc.php
@@ -4,8 +4,10 @@
 This script enables Moodle translators to edit /docs and /help language
 files directly via WWW interface.
 
-Author:     mudrd8mz@it.pedf.cuni.cz (http://moodle.cz)
+Author:     mudrd8mz@uxit.pedf.cuni.cz (http://moodle.cz)
 Based on:   lang.php in 1.4.3+ release
+Thanks:     Jaime Villate for important bug fixing, koen roggemans for his job and all moodlers
+            for intensive testing of this my first contribution
 */
 
     //
@@ -21,11 +23,6 @@
 
     require_once("../config.php");
 
-    // 
-    // SECURITY NOTE
-    // Option PARAM_PATH prevents requesting langdoc.php with eg. currentfile=../../config.php
-    // which could give potential hacker direct access to the source of config.php
-    //
     $currentfile = optional_param('currentfile', 'docs/README.txt', PARAM_PATH); 
 
     require_login();
@@ -163,10 +160,7 @@
 
         echo "<table align=\"center\"><tr valign=\"center\"><td align=\"center\">\n";
         echo "<textarea rows=\"$fileeditorrows\" cols=\"$fileeditorcols\" name=\"\">\n";
-        $currentsource = langdoc_read_file($enlangdir,$currentfile);
+        echo htmlspecialchars(file_get_contents("$enlangdir/$currentfile"));
-        if ($currentsource) {
-            echo $currentsource;
-        }
         echo "</textarea>\n";
         link_to_popup_window("/lang/en/$currentfile", "popup", get_string("preview"));
         echo "</td>\n";
@@ -184,10 +178,7 @@
         echo "<textarea rows=\"$fileeditorrows\" cols=\"$fileeditorcols\" name=\"filedata\">\n";
 
         if (file_exists("$langdir/$currentfile")) {
-            $currentsource = langdoc_read_file($langdir,$currentfile);
+	    echo htmlspecialchars(file_get_contents("$langdir/$currentfile"));
-            if ($currentsource) {
-                echo $currentsource;
-            }
         } else {
             echo ($filetemplate);
         }
@@ -208,30 +199,6 @@
 
 //////////////////////////////////////////////////////////////////////
 
-function langdoc_read_file($path, $file){
-//
-// reads the file without PHP parsing and returns its content as string
-// returns false if the file can't be open to read 
-//
-
-    global $CFG, $USER;
-
-    error_reporting(0);
-
-    if (!$f = fopen("$path/$file","r")) {
-        error_reporting($CFG->debug);
-        return false;
-    }
-
-    error_reporting($CFG->debug);
-
-    $content = fread($f,filesize ("$path/$file"));
-
-    fclose($f);
-
-    return $content;
-}
-
 function langdoc_save_file($path, $file, $content) {
 
 // $path is a full pathname to the file
@@ -251,11 +218,9 @@ function langdoc_save_file($path, $file, $content) {
 
     $content = str_replace("\r", "",$content);              // Remove linefeed characters
     $content = preg_replace("/\n{3,}/", "\n\n", $content);  // Collapse runs of blank lines
-    $content = str_replace("\\","",$content);               // Delete all slashes
-    $content = str_replace("%%","%",$content);
     $content = trim($content);                              // Delete leading/trailing whitespace
-
+        
-    fwrite($f, $content);
+    fwrite($f, stripslashes($content));
 
     fclose($f);