fixing security hole. reference : http://moodle.org/mod/forum/discuss.php?d=85748...

Inaki Arenzana

diff --git a/search/documents/physical_doc.php b/search/documents/physical_doc.php
index 3260451f5a7ddf8a93d119c82c01aa6bcb3332cf..b2f6ccfff52db22331143011a9be9b38233b9887 100644 (file)
--- a/search/documents/physical_doc.php
+++ b/search/documents/physical_doc.php
@@ -24,7 +24,7 @@ function get_text_for_indexing_doc(&$resource){
             mtrace('Error with MSWord to text converter command : exectuable not found.');
         }
         else{
-            $file = $CFG->dataroot.'/'.$resource->course.'/'.$resource->reference;
+            $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference);
             $text_converter_cmd = "{$CFG->dirroot}/{$CFG->block_search_word_to_text_cmd} $file";
             if ($CFG->block_search_word_to_text_env){
                 putenv($CFG->block_search_word_to_text_env);

diff --git a/search/documents/physical_pdf.php b/search/documents/physical_pdf.php
index 12765b06863e33a736314e5738da48493bda3308..fabea266364e8acc3af0d4983c4f4858e10bcbca 100644 (file)
--- a/search/documents/physical_pdf.php
+++ b/search/documents/physical_pdf.php
@@ -21,7 +21,7 @@ function get_text_for_indexing_pdf(&$resource){
             mtrace('Error with pdf to text converter command : exectuable not found.');
         }
         else{
-            $file = $CFG->dataroot.'/'.$resource->course.'/'.$resource->reference;
+            $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference);
             $text_converter_cmd = "{$CFG->dirroot}/{$CFG->block_search_pdf_to_text_cmd} $file -";
             $result = shell_exec($text_converter_cmd);
             if ($result){