mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-22 08:55:15 +02:00
Code Issues Projects Releases Wiki Activity

MDL-17799 proper log url sanitisation - big thanks to Full Name hacker ;-)

Browse Source
This commit is contained in:
skodak 2009-01-07 23:00:59 +00:00
parent bc4c980010
commit 11003188a9
1 changed files with 39 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
course/lib.php
View File

@ -32,29 +32,61 @@ function make_log_url($module, $url) {
case 'admin':
case 'calendar':
case 'mnet course':
return "/course/$url";
if (strpos($url, '../') === 0) {
$url = ltrim($url, '.');
} else {
$url = "/course/$url";
}
break;
case 'user':
case 'blog':
return "/$module/$url";
$url = "/$module/$url";
break;
case 'upload':
return $url;
$url = $url;
break;
case 'coursetags':
return '/'.$url;
$url = '/'.$url;
break;
case 'library':
case '':
return '/';
$url = '/';
break;
case 'message':
return "/message/$url";
$url = "/message/$url";
break;
case 'notes':
$url = "/notes/$url";
break;
default:
return "/mod/$module/$url";
$url = "/mod/$module/$url";
break;
}
//now let's sanitise urls - there might be some ugly nasties:-(
$parts = explode('?', $url);
$script = array_shift($parts);
if (strpos($script, 'http') === 0) {
$script = clean_param($script, PARAM_URL);
} else {
$script = clean_param($script, PARAM_PATH);
}
$query = '';
if ($parts) {
$query = implode('', $parts);
$query = str_replace('&', '&', $query); // both & and & are stored in db :-|
$parts = explode('&', $query);
$eq = urlencode('=');
foreach ($parts as $key=>$part) {
$part = urlencode(urldecode($part));
$part = str_replace($eq, '=', $part);
$parts[$key] = $part;
}
$query = '?'.implode('&', $parts);
}
return $script.$query;
}
@ -317,10 +349,6 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per
$tl=textlib_get_instance();
$brokenurl=($tl->strlen($log->url)==100 && $tl->substr($log->url,97)=='...');
$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
$log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!
echo '<tr class="r'.$row.'">';
if ($course->id == SITEID) {
echo "<td class=\"cell c0\">\n";
@ -433,10 +461,6 @@ function print_mnet_log($hostid, $course, $user=0, $date=0, $order="l.time ASC",
//Filter log->info
$log->info = format_string($log->info);
$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
$log->url = str_replace('&', '&amp;', $log->url); /// XHTML compatibility
echo '<tr class="r'.$row.'">';
if ($course->id == SITEID) {
echo "<td class=\"r$row c0\" >\n";
@ -529,10 +553,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname,
//Filter log->info
$log->info = format_string($log->info);
$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
$log->url = str_replace('&', '&amp;', $log->url); // XHTML compatibility
$firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));