relative+cleaned paths

diff --git a/admin/xmldb/actions/edit_field_save/edit_field_save.class.php b/admin/xmldb/actions/edit_field_save/edit_field_save.class.php
index e0d9b885d846a3fce95c4e622321f35d4e7defd7..b3d9e27b3fe52e64ab2f8e325d8953895625fc2b 100644 (file)
--- a/admin/xmldb/actions/edit_field_save/edit_field_save.class.php
+++ b/admin/xmldb/actions/edit_field_save/edit_field_save.class.php
@@ -75,27 +75,31 @@ class edit_field_save extends XMLDBAction {
 
     /// Do the job, setting result as needed
 
+        if (!data_submitted('nomatch')) { ///Basic prevention
+            error('Wrong action call');
+        }
+
     /// Get parameters
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
-        $tableparam = strtolower(required_param('table', PARAM_CLEAN));
-        $fieldparam = strtolower(required_param('field', PARAM_CLEAN));
-        $name = substr(trim(strtolower(optional_param('name', $fieldparam, PARAM_CLEAN))),0,30);
+        $tableparam = strtolower(required_param('table', PARAM_PATH));
+        $fieldparam = strtolower(required_param('field', PARAM_PATH));
+        $name = substr(trim(strtolower(optional_param('name', $fieldparam, PARAM_PATH))),0,30);
 
         $comment = required_param('comment', PARAM_CLEAN);
         $comment = trim(stripslashes_safe($comment));
 
         $type       = required_param('type', PARAM_INT);
-        $length     = strtolower(optional_param('length', NULL, PARAM_CLEAN));
-        $decimals   = optional_param('decimals', NULL, PARAM_CLEAN);
+        $length     = strtolower(optional_param('length', NULL, PARAM_ALPHANUM));
+        $decimals   = optional_param('decimals', NULL, PARAM_INT);
         $unsigned   = optional_param('unsigned', false, PARAM_BOOL);
         $notnull    = optional_param('notnull', false, PARAM_BOOL);
         $sequence   = optional_param('sequence', false, PARAM_BOOL);
         $enum       = optional_param('enum', false, PARAM_BOOL);
         $enumvalues = optional_param('enumvalues', 0, PARAM_CLEAN);
         $enumvalues = trim(stripslashes_safe($enumvalues));
-        $default    = optional_param('default', NULL, PARAM_CLEAN);
+        $default    = optional_param('default', NULL, PARAM_PATH);
         $default    = trim(stripslashes_safe($default));
 
         $editeddir =& $XMLDB->editeddirs[$dirpath];
@@ -284,7 +288,7 @@ class edit_field_save extends XMLDBAction {
                          "<a href=\"../index.php\">" . $this->str['administration'] . "</a> -> <a href=\"index.php\">XMLDB</a>");
             notice ('<p>' .implode(', ', $errors) . '</p>
                      <p>' . $tempfield->readableInfo(),
-                    'index.php?action=edit_field&amp;field=' .$field->getName() . '&amp;table=' . $table->getName() . '&amp;dir=' . urlencode($dirpath));
+                    'index.php?action=edit_field&amp;field=' .$field->getName() . '&amp;table=' . $table->getName() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)));
             die; /// re-die :-P
         }
 

diff --git a/admin/xmldb/actions/edit_index_save/edit_index_save.class.php b/admin/xmldb/actions/edit_index_save/edit_index_save.class.php
index 374d52a2ba1d7165bd33db9149238a2f49807f03..0ec2ebd11e468ac8ccb8e48032621d90e060ebb7 100644 (file)
--- a/admin/xmldb/actions/edit_index_save/edit_index_save.class.php
+++ b/admin/xmldb/actions/edit_index_save/edit_index_save.class.php
@@ -69,13 +69,17 @@ class edit_index_save extends XMLDBAction {
 
     /// Do the job, setting result as needed
 
+        if (!data_submitted('nomatch')) { ///Basic prevention
+            error('Wrong action call');
+        }
+
     /// Get parameters
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
-        $tableparam = strtolower(required_param('table', PARAM_CLEAN));
-        $indexparam = strtolower(required_param('index', PARAM_CLEAN));
-        $name = trim(strtolower(optional_param('name', $indexparam, PARAM_CLEAN)));
+        $tableparam = strtolower(required_param('table', PARAM_PATH));
+        $indexparam = strtolower(required_param('index', PARAM_PATH));
+        $name = trim(strtolower(optional_param('name', $indexparam, PARAM_PATH)));
 
         $comment = required_param('comment', PARAM_CLEAN);
         $comment = trim(stripslashes_safe($comment));
@@ -165,7 +169,7 @@ class edit_index_save extends XMLDBAction {
                          "<a href=\"../index.php\">" . $this->str['administration'] . "</a> -> <a href=\"index.php\">XMLDB</a>");
             notice ('<p>' .implode(', ', $errors) . '</p>
                      <p>' . $tempindex->readableInfo(),
-                    'index.php?action=edit_index&amp;index=' .$index->getName() . '&amp;table=' . $table->getName() . '&amp;dir=' . urlencode($dirpath));
+                    'index.php?action=edit_index&amp;index=' .$index->getName() . '&amp;table=' . $table->getName() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)));
             die; /// re-die :-P
         }
 

diff --git a/admin/xmldb/actions/edit_key_save/edit_key_save.class.php b/admin/xmldb/actions/edit_key_save/edit_key_save.class.php
index 48d252a03b770175c3bddab63d78f3663905e5a0..68297d4873be4c9e44c54e45518e5a3a3b997307 100644 (file)
--- a/admin/xmldb/actions/edit_key_save/edit_key_save.class.php
+++ b/admin/xmldb/actions/edit_key_save/edit_key_save.class.php
@@ -75,13 +75,17 @@ class edit_key_save extends XMLDBAction {
 
     /// Do the job, setting result as needed
 
+        if (!data_submitted('nomatch')) { ///Basic prevention
+            error('Wrong action call');
+        }
+
     /// Get parameters
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
-        $tableparam = strtolower(required_param('table', PARAM_CLEAN));
-        $keyparam = strtolower(required_param('key', PARAM_CLEAN));
-        $name = trim(strtolower(optional_param('name', $keyparam, PARAM_CLEAN)));
+        $tableparam = strtolower(required_param('table', PARAM_PATH));
+        $keyparam = strtolower(required_param('key', PARAM_PATH));
+        $name = trim(strtolower(optional_param('name', $keyparam, PARAM_PATH)));
 
         $comment = required_param('comment', PARAM_CLEAN);
         $comment = trim(stripslashes_safe($comment));
@@ -92,7 +96,7 @@ class edit_key_save extends XMLDBAction {
 
         if ($type == XMLDB_KEY_FOREIGN ||
             $type == XMLDB_KEY_FOREIGN_UNIQUE) {
-            $reftable = trim(strtolower(required_param('reftable', PARAM_CLEAN)));
+            $reftable = trim(strtolower(required_param('reftable', PARAM_PATH)));
             $reffields= required_param('reffields', PARAM_CLEAN);
             $reffields = str_replace(' ', '', trim(strtolower(stripslashes_safe($reffields))));
         }
@@ -241,7 +245,7 @@ class edit_key_save extends XMLDBAction {
                          "<a href=\"../index.php\">" . $this->str['administration'] . "</a> -> <a href=\"index.php\">XMLDB</a>");
             notice ('<p>' .implode(', ', $errors) . '</p>
                      <p>' . $tempkey->readableInfo(),
-                    'index.php?action=edit_key&amp;key=' .$key->getName() . '&amp;table=' . $table->getName() . '&amp;dir=' . urlencode($dirpath));
+                    'index.php?action=edit_key&amp;key=' .$key->getName() . '&amp;table=' . $table->getName() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)));
             die; /// re-die :-P
         }