From 26fc4193f50d94dd7c347167b3dca4f7b8379205 Mon Sep 17 00:00:00 2001
From: diml <diml>
Date: Wed, 5 Dec 2007 15:54:39 +0000
Subject: [PATCH] fixing security hole. reference :
 http://moodle.org/mod/forum/discuss.php?d=85748#p379857 Inaki Arenzana

---
 search/documents/physical_doc.php | 2 +-
 search/documents/physical_pdf.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/search/documents/physical_doc.php b/search/documents/physical_doc.php
index 3260451f5a..b2f6ccfff5 100644
--- a/search/documents/physical_doc.php
+++ b/search/documents/physical_doc.php
@@ -24,7 +24,7 @@ function get_text_for_indexing_doc(&$resource){
             mtrace('Error with MSWord to text converter command : exectuable not found.');
         }
         else{
-            $file = $CFG->dataroot.'/'.$resource->course.'/'.$resource->reference;
+            $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference);
             $text_converter_cmd = "{$CFG->dirroot}/{$CFG->block_search_word_to_text_cmd} $file";
             if ($CFG->block_search_word_to_text_env){
                 putenv($CFG->block_search_word_to_text_env);
diff --git a/search/documents/physical_pdf.php b/search/documents/physical_pdf.php
index 12765b0686..fabea26636 100644
--- a/search/documents/physical_pdf.php
+++ b/search/documents/physical_pdf.php
@@ -21,7 +21,7 @@ function get_text_for_indexing_pdf(&$resource){
             mtrace('Error with pdf to text converter command : exectuable not found.');
         }
         else{
-            $file = $CFG->dataroot.'/'.$resource->course.'/'.$resource->reference;
+            $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference);
             $text_converter_cmd = "{$CFG->dirroot}/{$CFG->block_search_pdf_to_text_cmd} $file -";
             $result = shell_exec($text_converter_cmd);
             if ($result){
-- 
2.39.5