From: stronk7 <stronk7>
Date: Sat, 16 Oct 2004 11:39:52 +0000 (+0000)
Subject: Latest patches from skodak included in param functions.
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=7e6b7f8da24ff2a489698cc84b1dad12fcda5631;p=moodle.git

Latest patches from skodak included in param functions.
Simple and double quotes are out now.
Full paths in unzip are now hidden too.

Please test it. It could have some pending changes yet!

And please, don't forget to move the floating tag in STABLE
when changes are done there!! It causes a lot of problems
when trying to merge later from STABLE to HEAD again.

Merged from MOODLE_14_STABLE.
---

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 4e47a226e0..485ffd71f4 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -189,13 +189,19 @@ function clean_param($param, $options) {
     }
 
     if ($options & PARAM_FILE) {         // Strip all suspicious characters from filename
-        $param = eregi_replace('\.\.+', '', $param);
-        // TO BE EXPANDED WITH MORE CHECKS
+        $param = str_replace('\\', '/', $param);
+        $param = basename($param);
+        $param = ereg_replace('\.\.+', '', $param);
+        $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
+        if ($param === '.' or $param === ' ') {
+            $param = '';
+        }
     }
 
     if ($options & PARAM_PATH) {         // Strip all suspicious characters from file path
-        $param = eregi_replace('\.\.+', '', $param);
-        // TO BE EXPANDED WITH MORE CHECKS
+        $param = str_replace('\\', '/', $param);
+        $param = ereg_replace('\.\.+', '', $param);
+        $param = ereg_replace('[[:cntrl:]]|[<>"\`\|\']', '', $param);
     }
 
     return $param;
@@ -4209,7 +4215,7 @@ function mtrace($string, $eol="\n") {
     flush();
 }
 
-//Replace 2 or more slashes to one
+//Replace 1 or more slashes or backslashes to 1 slash
 function cleardoubleslashes ($path) {
     return preg_replace('/(\/|\\\){1,}/','/',$path);
 }
@@ -4432,7 +4438,7 @@ function unzip_show_status ($list,$removepath) {
         print_simple_box_start("center");
         echo "<PRE>";
         foreach ($list as $item) {
-            echo $item.'<br />';
+            echo str_replace(cleardoubleslashes($removepath.'/'), '', $item).'<br />';
         }
         echo "</PRE>";
         print_simple_box_end();