mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-20 07:56:06 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'MDL-68443-xmldb-path-validation' of https://github.com/brendanheywood/moodle

Browse Source
This commit is contained in:
Eloy Lafuente (stronk7) 2020-05-07 19:16:37 +02:00
commit 9a4a8bd3cb
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
admin/tool/xmldb/actions/view_xml/view_xml.class.php
View File

@ -68,13 +68,13 @@ class view_xml extends XMLDBAction {
// Get the file parameter
$file = required_param('file', PARAM_PATH);
$file = $CFG->dirroot . $file;
// File must be under $CFG->wwwroot and
// under one db directory (simple protection)
if (substr($file, 0, strlen($CFG->dirroot)) == $CFG->dirroot &&
substr(dirname($file), -2, 2) == 'db') {
$fullpath = $CFG->dirroot . $file;
// File param must start with / and end with /db/install.xml to be safe.
if (substr($file, 0, 1) == '/' &&
substr($file, -15, 15) == '/db/install.xml') {
// Everything is ok. Load the file to memory
$this->output = file_get_contents($file);
$this->output = file_get_contents($fullpath);
} else {
// Switch to HTML and error
$this->does_generate = ACTION_GENERATE_HTML;