Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

merged from MOODLE_14_STABLE; updated parameter cleaning, preparation…

… for new file.php SC#5
  • Loading branch information...
commit d52d5a8e85b85fc83a0909e8a0aceb67ed4e2d87 1 parent 7e0286a
skodak authored
Showing with 10 additions and 6 deletions.
  1. +10 −6 lib/moodlelib.php
View
16 lib/moodlelib.php
@@ -189,19 +189,23 @@ function clean_param($param, $options) {
}
if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
- $param = str_replace('\\', '/', $param);
- $param = basename($param);
- $param = ereg_replace('\.\.+', '', $param);
- $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+ $param = clean_param($param, PARAM_PATH);
+ $pos = strrpos($param,'/');
+ if ($pos !== FALSE) {
+ $param = substr($param, $pos+1);
+ }
if ($param === '.' or $param === ' ') {
$param = '';
- }
+ }
}
if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
+ $param = str_replace('\\\'', '\'', $param);
+ $param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
+ $param = ereg_replace('[[:cntrl:]]|[<>"`\|\']', '', $param);
$param = ereg_replace('\.\.+', '', $param);
- $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+ $param = ereg_replace('//+', '/', $param);
}
return $param;
Please sign in to comment.
Something went wrong with that request. Please try again.