mirror of
https://github.com/moodle/moodle.git
synced 2025-03-14 04:30:15 +01:00
merged from MOODLE_14_STABLE; updated parameter cleaning, preparation for new file.php SC#5
This commit is contained in:
parent
7e0286af89
commit
d52d5a8e85
@ -189,19 +189,23 @@ function clean_param($param, $options) {
|
||||
}
|
||||
|
||||
if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
|
||||
$param = str_replace('\\', '/', $param);
|
||||
$param = basename($param);
|
||||
$param = ereg_replace('\.\.+', '', $param);
|
||||
$param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
|
||||
$param = clean_param($param, PARAM_PATH);
|
||||
$pos = strrpos($param,'/');
|
||||
if ($pos !== FALSE) {
|
||||
$param = substr($param, $pos+1);
|
||||
}
|
||||
if ($param === '.' or $param === ' ') {
|
||||
$param = '';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
|
||||
$param = str_replace('\\\'', '\'', $param);
|
||||
$param = str_replace('\\"', '"', $param);
|
||||
$param = str_replace('\\', '/', $param);
|
||||
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\']', '', $param);
|
||||
$param = ereg_replace('\.\.+', '', $param);
|
||||
$param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
|
||||
$param = ereg_replace('//+', '/', $param);
|
||||
}
|
||||
|
||||
return $param;
|
||||
|
Loading…
x
Reference in New Issue
Block a user