From: diml <diml>
Date: Wed, 5 Dec 2007 15:54:39 +0000 (+0000)
Subject: fixing security hole. reference : http://moodle.org/mod/forum/discuss.php?d=85748... 
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=26fc4193f50d94dd7c347167b3dca4f7b8379205;p=moodle.git

fixing security hole. reference : http://moodle.org/mod/forum/discuss.php?d=85748#p379857
Inaki Arenzana
---

diff --git a/search/documents/physical_doc.php b/search/documents/physical_doc.php
index 3260451f5a..b2f6ccfff5 100644
--- a/search/documents/physical_doc.php
+++ b/search/documents/physical_doc.php
@@ -24,7 +24,7 @@ function get_text_for_indexing_doc(&$resource){
             mtrace('Error with MSWord to text converter command : exectuable not found.');
         }
         else{
-            $file = $CFG->dataroot.'/'.$resource->course.'/'.$resource->reference;
+            $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference);
             $text_converter_cmd = "{$CFG->dirroot}/{$CFG->block_search_word_to_text_cmd} $file";
             if ($CFG->block_search_word_to_text_env){
                 putenv($CFG->block_search_word_to_text_env);
diff --git a/search/documents/physical_pdf.php b/search/documents/physical_pdf.php
index 12765b0686..fabea26636 100644
--- a/search/documents/physical_pdf.php
+++ b/search/documents/physical_pdf.php
@@ -21,7 +21,7 @@ function get_text_for_indexing_pdf(&$resource){
             mtrace('Error with pdf to text converter command : exectuable not found.');
         }
         else{
-            $file = $CFG->dataroot.'/'.$resource->course.'/'.$resource->reference;
+            $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference);
             $text_converter_cmd = "{$CFG->dirroot}/{$CFG->block_search_pdf_to_text_cmd} $file -";
             $result = shell_exec($text_converter_cmd);
             if ($result){