Permalink
Browse files

MDL-17799 proper log url sanitisation - big thanks to Full Name hacke…

…r ;-) backported from HEAD
  • Loading branch information...
1 parent 6909a0e commit f4ac741224f53afa0c23bf1b6f888b8e64ef3eee skodak committed Jan 7, 2009
Showing with 34 additions and 17 deletions.
  1. +34 −17 course/lib.php
View
@@ -244,24 +244,52 @@ function make_log_url($module, $url) {
case 'message':
case 'calendar':
case 'blog':
- return "/$module/$url";
+ if (strpos($url, '../') === 0) {
+ $url = ltrim($url, '.');
+ } else {
+ $url = "/course/$url";
+ }
break;
case 'mnet course':
- return "/course/$url";
+ $url = "/course/$url";
break;
case 'upload':
- return $url;
+ $url = $url;
break;
case 'library':
case '':
- return '/';
+ $url = '/';
break;
default:
- return "/mod/$module/$url";
+ $url = "/mod/$module/$url";
break;
}
-}
+ //now let's sanitise urls - there might be some ugly nasties:-(
+ $parts = explode('?', $url);
+ $script = array_shift($parts);
+ if (strpos($script, 'http') === 0) {
+ $script = clean_param($script, PARAM_URL);
+ } else {
+ $script = clean_param($script, PARAM_PATH);
+ }
+
+ $query = '';
+ if ($parts) {
+ $query = implode('', $parts);
+ $query = str_replace('&', '&', $query); // both & and & are stored in db :-|
+ $parts = explode('&', $query);
+ $eq = urlencode('=');
+ foreach ($parts as $key=>$part) {
+ $part = urlencode(urldecode($part));
+ $part = str_replace($eq, '=', $part);
+ $parts[$key] = $part;
+ }
+ $query = '?'.implode('&', $parts);
+ }
+
+ return $script.$query;
+}
function build_mnet_logs_array($hostid, $course, $user=0, $date=0, $order="l.time ASC", $limitfrom='', $limitnum='',
$modname="", $modid=0, $modaction="", $groupid=0) {
@@ -504,10 +532,6 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per
//Filter log->info
$log->info = format_string($log->info);
- $log->url = strip_tags(urldecode($log->url)); // Some XSS protection
- $log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!
-
echo '<tr class="r'.$row.'">';
if ($course->id == SITEID) {
echo "<td class=\"cell c0\">\n";
@@ -615,10 +639,6 @@ function print_mnet_log($hostid, $course, $user=0, $date=0, $order="l.time ASC",
//Filter log->info
$log->info = format_string($log->info);
- $log->url = strip_tags(urldecode($log->url)); // Some XSS protection
- $log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = str_replace('&', '&amp;', $log->url); /// XHTML compatibility
-
echo '<tr class="r'.$row.'">';
if ($course->id == SITEID) {
echo "<td class=\"r$row c0\" >\n";
@@ -710,10 +730,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname,
//Filter log->info
$log->info = format_string($log->info);
-
- $log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = str_replace('&', '&amp;', $log->url); // XHTML compatibility
$firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));

0 comments on commit f4ac741

Please sign in to comment.