Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-17799 proper log url sanitisation - big thanks to Full Name hacke…

…r ;-) backported from HEAD
  • Loading branch information...
commit a973dea1bc238ba05f1189d817c95a22d30eb9d9 1 parent 51dcac7
skodak authored
Showing with 35 additions and 14 deletions.
  1. +35 −14 course/lib.php
View
49 course/lib.php
@@ -241,19 +241,50 @@ function make_log_url($module, $url) {
case 'message':
case 'calendar':
case 'blog':
- return "/$module/$url";
+ if (strpos($url, '../') === 0) {
+ $url = ltrim($url, '.');
+ } else {
+ $url = "/course/$url";
+ }
+ break;
+ $url = "/$module/$url";
break;
case 'upload':
- return $url;
+ $url = $url;
break;
case 'library':
case '':
- return '/';
+ $url = '/';
break;
default:
- return "/mod/$module/$url";
+ $url = "/mod/$module/$url";
break;
}
+
+ //now let's sanitise urls - there might be some ugly nasties:-(
+ $parts = explode('?', $url);
+ $script = array_shift($parts);
+ if (strpos($script, 'http') === 0) {
+ $script = clean_param($script, PARAM_URL);
+ } else {
+ $script = clean_param($script, PARAM_PATH);
+ }
+
+ $query = '';
+ if ($parts) {
+ $query = implode('', $parts);
+ $query = str_replace('&', '&', $query); // both & and & are stored in db :-|
+ $parts = explode('&', $query);
+ $eq = urlencode('=');
+ foreach ($parts as $key=>$part) {
+ $part = urlencode(urldecode($part));
+ $part = str_replace($eq, '=', $part);
+ $parts[$key] = $part;
+ }
+ $query = '?'.implode('&', $parts);
+ }
+
+ return $script.$query;
}
@@ -415,10 +446,6 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per
//Filter log->info
$log->info = format_string($log->info);
- $log->url = strip_tags(urldecode($log->url)); // Some XSS protection
- $log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!
-
echo '<tr class="r'.$row.'">';
if ($course->id == SITEID) {
echo "<td class=\"r$row c0\" nowrap=\"nowrap\">\n";
@@ -506,10 +533,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname,
//Filter log->info
$log->info = format_string($log->info);
-
- $log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = str_replace('&', '&amp;', $log->url); /// XHTML compatibility
$firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));
@@ -710,10 +734,7 @@ function print_log_ooo($course, $user, $date, $order='l.time DESC', $modname,
// Filter log->info
$log->info = format_string($log->info);
-
- $log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = str_replace('&', '&amp;', $log->url); // XHTML compatibility
$firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));
Please sign in to comment.
Something went wrong with that request. Please try again.