Skip to content

Commit

Permalink
MDL-17799 proper log url sanitisation - big thanks to Full Name hacke…
Browse files Browse the repository at this point in the history 
…r ;-) backported from HEAD
  • Loading branch information
skodak committed Jan 7, 2009
1 parent 51dcac7 commit a973dea
Showing 1 changed file with 35 additions and 14 deletions.
49 changes: 35 additions & 14 deletions course/lib.php
View file
Expand Up @@ -241,19 +241,50 @@ function make_log_url($module, $url) {
case 'message': case 'message':
case 'calendar': case 'calendar':
case 'blog': case 'blog':
return "/$module/$url"; if (strpos($url, '../') === 0) {
$url = ltrim($url, '.');
} else {
$url = "/course/$url";
}
break;
$url = "/$module/$url";
break; break;
case 'upload': case 'upload':
return $url; $url = $url;
break; break;
case 'library': case 'library':
case '': case '':
return '/'; $url = '/';
break; break;
default: default:
return "/mod/$module/$url"; $url = "/mod/$module/$url";
break; break;
} }

//now let's sanitise urls - there might be some ugly nasties:-(
$parts = explode('?', $url);
$script = array_shift($parts);
if (strpos($script, 'http') === 0) {
$script = clean_param($script, PARAM_URL);
} else {
$script = clean_param($script, PARAM_PATH);
}

$query = '';
if ($parts) {
$query = implode('', $parts);
$query = str_replace('&', '&', $query); // both & and & are stored in db :-|
$parts = explode('&', $query);
$eq = urlencode('=');
foreach ($parts as $key=>$part) {
$part = urlencode(urldecode($part));
$part = str_replace($eq, '=', $part);
$parts[$key] = $part;
}
$query = '?'.implode('&', $parts);
}

return $script.$query;
} }




Expand Down Expand Up @@ -415,10 +446,6 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per
//Filter log->info //Filter log->info
$log->info = format_string($log->info); $log->info = format_string($log->info);


$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
$log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!

echo '<tr class="r'.$row.'">'; echo '<tr class="r'.$row.'">';
if ($course->id == SITEID) { if ($course->id == SITEID) {
echo "<td class=\"r$row c0\" nowrap=\"nowrap\">\n"; echo "<td class=\"r$row c0\" nowrap=\"nowrap\">\n";
Expand Down Expand Up @@ -506,10 +533,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname,


//Filter log->info //Filter log->info
$log->info = format_string($log->info); $log->info = format_string($log->info);

$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection $log->info = strip_tags(urldecode($log->info)); // Some XSS protection
$log->url = str_replace('&', '&amp;', $log->url); /// XHTML compatibility


$firstField = $courses[$log->course]; $firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id))); $fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));
Expand Down Expand Up @@ -710,10 +734,7 @@ function print_log_ooo($course, $user, $date, $order='l.time DESC', $modname,
// Filter log->info // Filter log->info
$log->info = format_string($log->info); $log->info = format_string($log->info);
$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection $log->info = strip_tags(urldecode($log->info)); // Some XSS protection
$log->url = str_replace('&', '&amp;', $log->url); // XHTML compatibility
$firstField = $courses[$log->course]; $firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id))); $fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));
Expand Down

0 comments on commit a973dea

Please sign in to comment.