incorrect usage of clean_filename() replaced with clean_param($text, PARAM_SAFEDIR)

admin/auth.php

@@ -83,7 +83,7 @@
         set_config('changepassword','');
     }
 
-    $auth = clean_filename($auth);
+    $auth = clean_param($auth,PARAM_SAFEDIR);
     require_once("$CFG->dirroot/auth/$auth/lib.php"); //just to make sure that current authentication functions are loaded
     if (! isset($config->guestloginbutton)) {
         $config->guestloginbutton = 1;

course/mod.php

@@ -65,7 +65,7 @@
         }
         
         $mod->course = $course->id;
-        $mod->modulename = clean_filename($mod->modulename);  // For safety
+        $mod->modulename = clean_param($mod->modulename, PARAM_SAFEDIR);  // For safety
         $modlib = "$CFG->dirroot/mod/$mod->modulename/lib.php";
 
         if (file_exists($modlib)) {

lib/moodlelib.php

@@ -164,7 +164,6 @@ define('PARAM_LOCALURL', 0x0180);
 /**
  * PARAM_CLEANFILE - safe file name, all dangerous and regional chars are removed,
  * use when you want to store a new file submitted by students
- * @TODO: fix clean_filename() to handle UTF8 properly
  */
 define('PARAM_CLEANFILE',0x0200);
 

mod/glossary/exportfile.php

@@ -25,7 +25,7 @@
         error("You must be a teacher to use this page.");
     }
 
-    $filename = clean_filename(strip_tags(format_string($glossary->name,true))).'.xml';
+    $filename = clean_filename(strip_tags(format_string($glossary->name,true)).'.xml');
     $content = glossary_generate_export_file($glossary,$l,$cat);
     
     send_file($content, $filename, 0, 0, true, true);

mod/hotpot/report.php

@@ -300,7 +300,7 @@
 
 /// Open the selected hotpot report and display it
 
-	$mode = clean_filename($mode);
+	$mode = clean_param($mode, PARAM_SAFEDIR);
 
 	if (! is_readable("report/$mode/report.php")) {
 		error("Report not known (".clean_text($mode).")", $course_homeurl);

mod/lesson/import.php

@@ -35,7 +35,7 @@
 
     if ($form = data_submitted()) {   /// Filename
 
-        $form->format = clean_filename($form->format); // For safety
+        $form->format = clean_param($form->format, PARAM_SAFEDIR); // For safety
 
         if (empty($_FILES['newfile'])) {      // file was just uploaded
             notify(get_string("uploadproblem") );

mod/quiz/report.php

@@ -60,10 +60,10 @@
 
 /// Open the selected quiz report and display it
 
-    $mode = clean_filename($mode);
+    $mode = clean_param($mode, PARAM_SAFEDIR);
 
     if (! is_readable("report/$mode/report.php")) {
-        error("Report not known (".clean_text($mode).")");
+        error("Report not known ($mode)");
     }
 
     include("report/default.php");  // Parent class

mod/resource/lib.php

@@ -348,7 +348,7 @@ function delete_instance($resource) {
 function resource_add_instance($resource) {
     global $CFG;
 
-    $resource->type = clean_filename($resource->type);   // Just to be safe
+    $resource->type = clean_param($resource->type, PARAM_SAFEDIR);   // Just to be safe
 
     require_once("$CFG->dirroot/mod/resource/type/$resource->type/resource.class.php");
     $resourceclass = "resource_$resource->type";
@@ -360,7 +360,7 @@ function resource_add_instance($resource) {
 function resource_update_instance($resource) {
     global $CFG;
 
-    $resource->type = clean_filename($resource->type);   // Just to be safe
+    $resource->type = clean_param($resource->type, PARAM_SAFEDIR);   // Just to be safe
 
     require_once("$CFG->dirroot/mod/resource/type/$resource->type/resource.class.php");
     $resourceclass = "resource_$resource->type";
@@ -376,7 +376,7 @@ function resource_delete_instance($id) {
         return false;
     }
 
-    $resource->type = clean_filename($resource->type);   // Just to be safe
+    $resource->type = clean_param($resource->type, PARAM_SAFEDIR);   // Just to be safe
 
     require_once("$CFG->dirroot/mod/resource/type/$resource->type/resource.class.php");
     $resourceclass = "resource_$resource->type";