From: martinlanghoff <martinlanghoff>
Date: Tue, 25 Jan 2005 06:09:39 +0000 (+0000)
Subject: Merged from MOODLE_14_STABLE - clean_param() now handles PARAM_URL
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=7744ea12b0737d2b6db3852b9b1bf0a4563707a4;p=moodle.git

Merged from MOODLE_14_STABLE - clean_param() now handles PARAM_URL
---

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 18274b30b3..c696e05ab5 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -102,7 +102,8 @@ define('PARAM_NOTAGS',  0x08);
 define('PARAM_FILE',    0x10);
 define('PARAM_PATH',    0x20);
 define('PARAM_HOST',    0x40);  // FQDN or IPv4 dotted quad
-
+define('PARAM_URL',     0x80);  
+//define('PARAM_LOCALURL',????); // need something that implies PARAM_URL
 
 /// PARAMETER HANDLING ////////////////////////////////////////////////////
 
@@ -171,6 +172,8 @@ function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) {
  */
 function clean_param($param, $options) {
 
+    global $CFG;
+
     if (!$options) {
         return $param;                   // Return raw value
     }
@@ -238,6 +241,55 @@ function clean_param($param, $options) {
         } 
     }
 
+    if ($options & PARAM_URL) { // allow safe ftp, http, mailto urls
+
+        include_once($CFG->dirroot . '/lib/validateurlsyntax.php');
+
+        //
+        // Parameters to validateurlsyntax()
+        //
+        // s? scheme is optional
+        //   H? http optional
+        //   S? https optional
+        //   F? ftp   optional
+        //   E? mailto optional
+        // u- user section not allowed
+        //   P- password not allowed
+        // a? address optional
+        //   I? Numeric IP address optional (can use IP or domain)
+        //   p-  port not allowed -- restrict to default port
+        // f? "file" path section optional
+        //   q? query section optional
+        //   r? fragment (anchor) optional
+        //
+        if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p-f?q?r?')) {
+            // all is ok, param is respected
+        } else {
+            $param =''; // not really ok
+        }
+    }
+
+    /*    
+    if ($options & PARAM_LOCALURL) { 
+        // assume we passed the PARAM_URL test...
+        // allow http absolute, root relative and relative URLs within wwwroot
+        if (!empty($param)) {
+            if (preg_match(':^/:', $param)) { 
+                // root-relative, ok!
+            } elseif (preg_match('/^'.preg_quote($CFG->wwwroot).'/i',$param)) {
+                // absolute, and matches our wwwroot
+            } else { 
+                // relative - let's make sure there are no tricks
+                if (validateUrlSyntax($param, 's-u-P-a-p-f+q?r?')) {
+                    // looks ok.
+                } else {
+                    $param = '';
+                }                
+            }
+        }
+    }
+    */
+
     return $param;
 }