Permalink
Browse files

MDL-37746 qtype_shortanser: avoid normalizer_normalize dangers.

When an error occurs, normalizer_normalize just silently returns null,
which is dangerous. Here, we wrap it in a safe helper function.
  • Loading branch information...
1 parent 1918a24 commit a74d924c25f0010fce6f186eb93a003203a37817 @timhunt timhunt committed Jan 29, 2013
Showing with 29 additions and 4 deletions.
  1. +29 −4 question/type/shortanswer/question.php
View
33 question/type/shortanswer/question.php
@@ -87,6 +87,11 @@ public function compare_response_with_answer(array $response, question_answer $a
}
public static function compare_string_with_wildcard($string, $pattern, $ignorecase) {
+
+ // Normalise any non-canonical UTF-8 characters before we start.
+ $pattern = self::safe_normalize($pattern);
+ $string = self::safe_normalize($string);
+
// Break the string on non-escaped asterisks.
$bits = preg_split('/(?<!\\\\)\*/', $pattern);
// Escape regexp special characters in the bits.
@@ -102,12 +107,32 @@ public static function compare_string_with_wildcard($string, $pattern, $ignoreca
$regexp .= 'i';
}
- if (function_exists('normalizer_normalize')) {
- $regexp = normalizer_normalize($regexp, Normalizer::FORM_C);
- $string = normalizer_normalize($string, Normalizer::FORM_C);
+ return preg_match($regexp, trim($string));
+ }
+
+ /**
+ * Normalise a UTf-8 string to FORM_C, avoiding the pitfalls in PHP's
+ * normalizer_normalize function.
+ * @param string $string the input string.
+ * @return string the normalised string.
+ */
+ protected static function safe_normalize($string) {
+ if (!$string) {
+ return '';
}
- return preg_match($regexp, trim($string));
+ if (!function_exists('normalizer_normalize')) {
+ return $string;
+ }
+
+ $normalised = normalizer_normalize($string, Normalizer::FORM_C);
+ if (!$normalised) {
+ // An error occurred in normalizer_normalize, but we have no idea what.
+ debugging('Failed to normalise string: ' . $string, DEBUG_DEVELOPER);
+ return $string; // Return the original string, since it is the best we have.
+ }
+
+ return $normalised;
}
public function get_correct_response() {

0 comments on commit a74d924

Please sign in to comment.