merged from MOODLE_14_STABLE; updated parameter cleaning, preparation for new file...

author skodak <skodak>

Fri, 19 Nov 2004 21:28:29 +0000 (21:28 +0000)

committer skodak <skodak>

Fri, 19 Nov 2004 21:28:29 +0000 (21:28 +0000)
author skodak <skodak>
Fri, 19 Nov 2004 21:28:29 +0000 (21:28 +0000)
committer skodak <skodak>
Fri, 19 Nov 2004 21:28:29 +0000 (21:28 +0000)
diff --git a/lib/moodlelib.php b/lib/moodlelib.php

index d2eb3757a6ccd411f939522c96245ae27b75a322..215481fbed81afc8830cb8fffbb14a3c14be3f0a 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -189,19 +189,23 @@ function clean_param($param, $options) {
      }
  
      if ($options & PARAM_FILE) {         // Strip all suspicious characters from filename
-        $param = str_replace('\\', '/', $param);
-        $param = basename($param);
-        $param = ereg_replace('\.\.+', '', $param);
-        $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+        $param = clean_param($param, PARAM_PATH);
+        $pos = strrpos($param,'/');
+        if ($pos !== FALSE) {
+            $param = substr($param, $pos+1);
+        }
          if ($param === '.' or $param === ' ') {
              $param = '';
-        }
+        }        
      }
  
      if ($options & PARAM_PATH) {         // Strip all suspicious characters from file path
+        $param = str_replace('\\\'', '\'', $param);
+        $param = str_replace('\\"', '"', $param);
          $param = str_replace('\\', '/', $param);
+        $param = ereg_replace('[[:cntrl:]]|[<>"`\|\']', '', $param);
          $param = ereg_replace('\.\.+', '', $param);
-        $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+        $param = ereg_replace('//+', '/', $param);
      }
  
      return $param;
author	skodak <skodak>
	Fri, 19 Nov 2004 21:28:29 +0000 (21:28 +0000)
committer	skodak <skodak>
	Fri, 19 Nov 2004 21:28:29 +0000 (21:28 +0000)