mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-14 13:02:07 +02:00
Code Issues Projects Releases Wiki Activity

MDL-68443 xmldb: Improve path validation on view_xml action

Browse Source
This commit is contained in:
Brendan Heywood 2020-04-18 20:36:44 +10:00
parent 788dfb9c7d
commit c80bcd56fd
1 changed files with 6 additions and 6 deletions

12
admin/tool/xmldb/actions/view_xml/view_xml.class.php

@ -68,13 +68,13 @@ class view_xml extends XMLDBAction {
// Get the file parameter
$file = required_param('file', PARAM_PATH);
$file = $CFG->dirroot . $file;
// File must be under $CFG->wwwroot and
// under one db directory (simple protection)
if (substr($file, 0, strlen($CFG->dirroot)) == $CFG->dirroot &&
substr(dirname($file), -2, 2) == 'db') {
$fullpath = $CFG->dirroot . $file;
// File param must start with / and end with /db/install.xml to be safe.
if (substr($file, 0, 1) == '/' &&
substr($file, -15, 15) == '/db/install.xml') {
// Everything is ok. Load the file to memory
$this->output = file_get_contents($file);
$this->output = file_get_contents($fullpath);
} else {
// Switch to HTML and error
$this->does_generate = ACTION_GENERATE_HTML;