Merged filename checks from stable

diff --git a/admin/auth.php b/admin/auth.php
index a74e6f53a4eab6c88fc48c9cd5af9a62d797c1cc..2a1c93dcf52b6bfe705f9ce3a515cd1a1d12fa7a 100644 (file)
--- a/admin/auth.php
+++ b/admin/auth.php
@@ -48,11 +48,12 @@
         $options[$module] = get_string("auth_$module"."title", "auth");
     }
     asort($options);
-    if (isset($_GET['auth'])) {
-        $auth = $_GET['auth'];
-    } else {
-          $auth = $config->auth;
-    } 
+       if (isset($_GET['auth'])) {
+           $auth = $_GET['auth'];
+       } else {
+        $auth = $config->auth;
+       } 
+    $auth = clean_filename($auth);
     require_once("$CFG->dirroot/auth/$auth/lib.php"); //just to make sure that current authentication functions are loaded
     if (! isset($config->guestloginbutton)) {
         $config->guestloginbutton = 1;

diff --git a/admin/enrol.php b/admin/enrol.php
index 4312823f644bfcf38325da6d2672c174dd1cada3..480bfa8d7a7cd3f40371f7d9c22aaa88bf542106 100644 (file)
--- a/admin/enrol.php
+++ b/admin/enrol.php
@@ -3,8 +3,10 @@
        //             Yes, enrol is correct English spelling.
 
     include("../config.php");
+
+    $enrol = (string)parameter('enrol', $CFG->enrol);
+
     require_login();
-    optional_variable($enrol, $CFG->enrol);
 
     if (!$site = get_site()) {
         redirect("index.php");
@@ -14,6 +16,7 @@
         error("Only the admin can use this page");
     }
 
+    $enrol = clean_filename($enrol);
     require_once("$CFG->dirroot/enrol/$enrol/enrol.php");   /// Open the class
 
     $enrolment = new enrolment_plugin();

diff --git a/admin/module.php b/admin/module.php
index a4466663f1dd0b7a7b3f58b039a599fda9f5f9f8..3985475d244c750c9671006c3e97ea71e7590097 100644 (file)
--- a/admin/module.php
+++ b/admin/module.php
@@ -29,6 +29,7 @@
 
     require_variable($module);
 
+    $module = clean_filename($module);
        require_once("$CFG->dirroot/mod/$module/lib.php");