From 1bef950e2e916c9cc7ddb71607fac9c1010a9c23 Mon Sep 17 00:00:00 2001
From: donal72 <donal72>
Date: Thu, 2 Aug 2007 05:35:19 +0000
Subject: [PATCH] Sharpen up call to 'dangerous' functions.

---
 mnet/xmlrpc/server.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/mnet/xmlrpc/server.php b/mnet/xmlrpc/server.php
index e24338e1e06..91ad3711cbd 100644
--- a/mnet/xmlrpc/server.php
+++ b/mnet/xmlrpc/server.php
@@ -482,12 +482,18 @@ function mnet_server_dispatch($payload) {
         } elseif ('dangerous' == $CFG->mnet_dispatcher_mode && $MNET_REMOTE_CLIENT->plaintext_is_ok()) {
 
             $functionname = array_pop($callstack);
-            $filename     = array_pop($callstack);
 
             if ($MNET_REMOTE_CLIENT->plaintext_is_ok()) {
 
+                $filename = clean_param(implode('/',$callstack), PARAM_PATH);
+                if (0 == preg_match("/php$/", $filename)) {
+                    // Filename doesn't end in 'php'; possible attack?
+                    // Generate error response - unable to locate function
+                    exit(mnet_server_fault(7012, 'nosuchfunction'));
+                } 
+
                 // The call stack holds the path to any include file
-                $includefile = $CFG->dirroot.'/'.implode('/',$callstack).'/'.$filename.'.php';
+                $includefile = $CFG->dirroot.'/'.$filename;
 
                 $response = mnet_server_invoke_method($includefile, $functionname, $method, $payload);
                 echo $response;