Merged pathname checks from stable

diff --git a/mod/quiz/export.php b/mod/quiz/export.php
index 4ad463a513c0a95ee83116461de56cdb3b0ee9bc..e6ed588646d079d9c031ca6d0eb47c1ef97edb1a 100644 (file)
--- a/mod/quiz/export.php
+++ b/mod/quiz/export.php
@@ -33,8 +33,10 @@
 
     if ($form = data_submitted()) {   /// Filename
 
+        $form->format = clean_filename($form->format);
+
         if (! is_readable("format/$form->format/format.php")) {
-            error("Format not known ($form->format)");
+            error('Format not known ('.clean_text($form->format).')');
         }
 
         require("format.php");  // Parent class

diff --git a/mod/quiz/import.php b/mod/quiz/import.php
index 5701cf569bae4dd994680d3b09f80b5cdc9c6d33..393c1763534bc1d2ddba7f24cdd227d603e98a05 100644 (file)
--- a/mod/quiz/import.php
+++ b/mod/quiz/import.php
@@ -47,8 +47,10 @@
 
         if (is_array($newfile)) { // either for file already on server or just uploaded file.
 
+            $form->format = clean_filename($form->format);
+
             if (! is_readable("format/$form->format/format.php")) {
-                error("Format not known ($form->format)");
+                error('Format not known ('.clean_text($form->format).')');
             }
 
             require("format.php");  // Parent class