Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

SC#98 protection of uploaded files in resources, please review and test

  • Loading branch information...
commit fd05dffed662d97011bdcdb1f841332bf0c5279f 1 parent a191a1e
skodak authored
Showing with 41 additions and 11 deletions.
  1. +37 −11 file.php
  2. +4 −0 lib/moodlelib.php
View
48 file.php
@@ -59,17 +59,6 @@
error('Access not allowed');
}
- // security: teachers can view all assignments, students only their own
- if ((count($args) >= 3)
- and (strtolower($args[1]) == 'moddata')
- and (strtolower($args[2]) == 'assignment')) {
-
- $lifetime = 0; // do not cache assignments, students may reupload them
- if ((!isteacher($course->id)) && (count($args) != 6 || $args[4] != $USER->id)) {
- error('Access not allowed');
- }
- }
-
if (is_dir($pathname)) {
if (file_exists($pathname.'/index.html')) {
$pathname = rtrim($pathname, '/').'/index.html';
@@ -86,6 +75,43 @@
}
}
+ // security: teachers can view all assignments, students only their own
+ if ((count($args) >= 3)
+ and (strtolower($args[1]) == 'moddata')
+ and (strtolower($args[2]) == 'assignment')) {
+
+ $lifetime = 0; // do not cache assignments, students may reupload them
+ if ((!isteacher($course->id)) && (count($args) != 6 || $args[4] != $USER->id)) {
+ error('Access not allowed');
+ }
+ }
+
+ // security: some protection of hidden resource files
+ // warning: it may break backwards compatibility
+ // TODO: case sensitive in PostgresQL, case insensitive in MySQL (ok?)
+ // TODO: should we protect directories too?
+ if ((!empty($CFG->preventaccesstohiddenfiles))
+ and (count($args) >= 2)
+ and (!isteacher($course->id))) {
+
+ $reference = ltrim($relativepath, "/{$args[0]}/");
+
+ $sql = "SELECT COUNT(r.id) " .
+ "FROM {$CFG->prefix}resource r, " .
+ "{$CFG->prefix}course_modules cm, " .
+ "{$CFG->prefix}modules m " .
+ "WHERE r.course = '{$course->id}' " .
+ "AND m.name = 'resource' " .
+ "AND cm.module = m.id " .
+ "AND cm.instance = r.id " .
+ "AND cm.visible = 0 " .
+ "AND r.type = 'file' " .
+ "AND r.reference = '{$reference}'";
+ if (count_records_sql($sql)) {
+ error('Access not allowed');
+ }
+ }
+
// check that file exists
if (!file_exists($pathname)) {
not_found($course->id);
View
4 lib/moodlelib.php
@@ -221,6 +221,9 @@ function clean_param($param, $options) {
if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':\\/]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
+ if($param == '.') {
+ $param = '';
+ }
}
if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
@@ -230,6 +233,7 @@ function clean_param($param, $options) {
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
+ $param = ereg_replace('/(\./)+', '/', $param);
}
if ($options & PARAM_HOST) { // allow FQDN or IPv4 dotted quad
Please sign in to comment.
Something went wrong with that request. Please try again.