From 11003188a9d283b908dcdc01fb6f238ffa685ae9 Mon Sep 17 00:00:00 2001 From: skodak Date: Wed, 7 Jan 2009 23:00:59 +0000 Subject: [PATCH] MDL-17799 proper log url sanitisation - big thanks to Full Name hacker ;-) --- course/lib.php | 57 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/course/lib.php b/course/lib.php index bd93ece8f0..4849a53532 100644 --- a/course/lib.php +++ b/course/lib.php @@ -32,29 +32,61 @@ function make_log_url($module, $url) { case 'admin': case 'calendar': case 'mnet course': - return "/course/$url"; + if (strpos($url, '../') === 0) { + $url = ltrim($url, '.'); + } else { + $url = "/course/$url"; + } break; case 'user': case 'blog': - return "/$module/$url"; + $url = "/$module/$url"; break; case 'upload': - return $url; + $url = $url; break; case 'coursetags': - return '/'.$url; + $url = '/'.$url; break; case 'library': case '': - return '/'; + $url = '/'; break; case 'message': - return "/message/$url"; + $url = "/message/$url"; + break; + case 'notes': + $url = "/notes/$url"; break; default: - return "/mod/$module/$url"; + $url = "/mod/$module/$url"; break; } + + //now let's sanitise urls - there might be some ugly nasties:-( + $parts = explode('?', $url); + $script = array_shift($parts); + if (strpos($script, 'http') === 0) { + $script = clean_param($script, PARAM_URL); + } else { + $script = clean_param($script, PARAM_PATH); + } + + $query = ''; + if ($parts) { + $query = implode('', $parts); + $query = str_replace('&', '&', $query); // both & and & are stored in db :-| + $parts = explode('&', $query); + $eq = urlencode('='); + foreach ($parts as $key=>$part) { + $part = urlencode(urldecode($part)); + $part = str_replace($eq, '=', $part); + $parts[$key] = $part; + } + $query = '?'.implode('&', $parts); + } + + return $script.$query; } @@ -317,10 +349,6 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per $tl=textlib_get_instance(); $brokenurl=($tl->strlen($log->url)==100 && $tl->substr($log->url,97)=='...'); - $log->url = strip_tags(urldecode($log->url)); // Some XSS protection - $log->info = strip_tags(urldecode($log->info)); // Some XSS protection - $log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!! - echo ''; if ($course->id == SITEID) { echo "\n"; @@ -433,10 +461,6 @@ function print_mnet_log($hostid, $course, $user=0, $date=0, $order="l.time ASC", //Filter log->info $log->info = format_string($log->info); - $log->url = strip_tags(urldecode($log->url)); // Some XSS protection - $log->info = strip_tags(urldecode($log->info)); // Some XSS protection - $log->url = str_replace('&', '&', $log->url); /// XHTML compatibility - echo ''; if ($course->id == SITEID) { echo "\n"; @@ -529,10 +553,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname, //Filter log->info $log->info = format_string($log->info); - - $log->url = strip_tags(urldecode($log->url)); // Some XSS protection $log->info = strip_tags(urldecode($log->info)); // Some XSS protection - $log->url = str_replace('&', '&', $log->url); // XHTML compatibility $firstField = $courses[$log->course]; $fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id))); -- 2.39.5