MDL-10198 - Further refinements to $forcedownload.

author tjhunt <tjhunt>

Thu, 21 Jun 2007 15:43:29 +0000 (15:43 +0000)

committer tjhunt <tjhunt>

Thu, 21 Jun 2007 15:43:29 +0000 (15:43 +0000)
author tjhunt <tjhunt>
Thu, 21 Jun 2007 15:43:29 +0000 (15:43 +0000)
committer tjhunt <tjhunt>
Thu, 21 Jun 2007 15:43:29 +0000 (15:43 +0000)
diff --git a/question/file.php b/question/file.php

index 6ac4c8ae70a1bdf43ae72b0785624370d316c8df..deb5f818443ef41287b1510cc655bf94fbf70f28 100644 (file)
--- a/question/file.php
+++ b/question/file.php
@@ -6,9 +6,7 @@
        // whether the user has permission to view the file.
        //
        // Syntax:      question/file.php/attemptid/questionid/filename.ext
-      //              question/file.php/attemptid/questionid/filename.ext?forcedownload=1 (download instead of inline)
-      // Workaround:  question/file.php?file=/attemptid/questionid
-      // Test:        question/file.php/testslasharguments
+      // Workaround:  question/file.php?file=/attemptid/questionid/filename.ext
  
      require_once('../config.php');
      require_once('../lib/filelib.php');
@@ -17,7 +15,8 @@
      disable_debugging();
  
      $relativepath = get_file_argument('file.php');
-    $forcedownload = optional_param('forcedownload', 0, PARAM_BOOL);
+    // force download for any student-submitted files to prevent XSS attacks.
+    $forcedownload = 1;
  
      // relative path must start with '/', because of backup/restore!!!
      if (!$relativepath) {
@@ -44,9 +43,6 @@
  
      $lifetime = 0;  // do not cache because students may reupload files
  
-    // force download for any student-submitted files
-    $forcedownload = 1;
-
      // security: check that the user has permission to access this file
      $haspermission = false;
      if ($attempt = get_record("question_attempts", "id", $args[0])) {
author	tjhunt <tjhunt>
	Thu, 21 Jun 2007 15:43:29 +0000 (15:43 +0000)
committer	tjhunt <tjhunt>
	Thu, 21 Jun 2007 15:43:29 +0000 (15:43 +0000)