From 1e448f63f4e8a345c4282932ec59dc95b742c94d Mon Sep 17 00:00:00 2001
From: moodler <moodler>
Date: Wed, 29 Sep 2004 06:58:21 +0000
Subject: [PATCH] Merged fix from stable

---
 mod/lesson/import.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/mod/lesson/import.php b/mod/lesson/import.php
index 6d584b9178..5d2ab45b9a 100644
--- a/mod/lesson/import.php
+++ b/mod/lesson/import.php
@@ -34,7 +34,9 @@
                  "<A HREF=index.php?id=$course->id>$strlessons</A> -> <a href=\"view.php?id=$cm->id\">$lesson->name</a>-> $strimportquestions");
 
     if ($form = data_submitted()) {   /// Filename
-        
+
+        $form->format = clean_filename($form->format); // For safety
+
         if (isset($form->filename)) {                 // file already on server
             $newfile['tmp_name'] = $form->filename; 
             $newfile['size'] = filesize($form->filename);
@@ -50,12 +52,12 @@
         if (is_array($newfile)) { // either for file already on server or just uploaded file.
 
             if (! is_readable("../quiz/format/$form->format/format.php")) {
-                error("Format not known ($form->format)");
+                error("Format not known (".clean_text($form->format).")");
             }
 
             require("format.php");  // Parent class
-            require("../quiz/lib.php"); // for the constants used in quiz/format/<format>/format.php
-            require("../quiz/format/$form->format/format.php");
+            require("$CFG->dirroot/mod/quiz/lib.php"); // for the constants used in quiz/format/<format>/format.php
+            require("$CFG->dirroot/mod/quiz/format/$form->format/format.php");
 
             $format = new quiz_file_format();
 			
-- 
2.39.5