Strip control chars when unzipping.

Merged from MOODLE_14_STABLE

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 4dc6b46040be3592841450d83ca06a92222e8b6b..fcd6ccc5511b23a78a149b444e7897cc9076f504 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -4396,6 +4396,7 @@ function unzip_cleanfilename ($p_event, &$p_header) {
 //This function is used as callback in unzip_file() function
 //to clean illegal characters for given platform and to prevent directory traversal.
 //Produces the same result as info-zip unzip.
+    $p_header['filename'] = ereg_replace('[[:cntrl:]]', '', $p_header['filename']); //strip control chars first!
     $p_header['filename'] = ereg_replace('\.\.+', '', $p_header['filename']); //directory traversal protection
     if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
         $p_header['filename'] = ereg_replace('[:*"?<>|]', '_', $p_header['filename']); //replace illegal chars