From d52d5a8e85b85fc83a0909e8a0aceb67ed4e2d87 Mon Sep 17 00:00:00 2001 From: skodak Date: Fri, 19 Nov 2004 21:28:29 +0000 Subject: [PATCH] merged from MOODLE_14_STABLE; updated parameter cleaning, preparation for new file.php SC#5 --- lib/moodlelib.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index d2eb3757a6c..215481fbed8 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -189,19 +189,23 @@ function clean_param($param, $options) { } if ($options & PARAM_FILE) { // Strip all suspicious characters from filename - $param = str_replace('\\', '/', $param); - $param = basename($param); - $param = ereg_replace('\.\.+', '', $param); - $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param); + $param = clean_param($param, PARAM_PATH); + $pos = strrpos($param,'/'); + if ($pos !== FALSE) { + $param = substr($param, $pos+1); + } if ($param === '.' or $param === ' ') { $param = ''; - } + } } if ($options & PARAM_PATH) { // Strip all suspicious characters from file path + $param = str_replace('\\\'', '\'', $param); + $param = str_replace('\\"', '"', $param); $param = str_replace('\\', '/', $param); + $param = ereg_replace('[[:cntrl:]]|[<>"`\|\']', '', $param); $param = ereg_replace('\.\.+', '', $param); - $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param); + $param = ereg_replace('//+', '/', $param); } return $param;