From 8356aa7af117e1a4ed1ee1d0d5483ba6511e8be2 Mon Sep 17 00:00:00 2001
From: tjhunt <tjhunt>
Date: Thu, 21 Jun 2007 15:43:29 +0000
Subject: [PATCH] MDL-10198 - Further refinements to $forcedownload.

---
 question/file.php | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/question/file.php b/question/file.php
index 6ac4c8ae70..deb5f81844 100644
--- a/question/file.php
+++ b/question/file.php
@@ -6,9 +6,7 @@
       // whether the user has permission to view the file.
       //
       // Syntax:      question/file.php/attemptid/questionid/filename.ext
-      //              question/file.php/attemptid/questionid/filename.ext?forcedownload=1 (download instead of inline)
-      // Workaround:  question/file.php?file=/attemptid/questionid
-      // Test:        question/file.php/testslasharguments
+      // Workaround:  question/file.php?file=/attemptid/questionid/filename.ext
 
     require_once('../config.php');
     require_once('../lib/filelib.php');
@@ -17,7 +15,8 @@
     disable_debugging();
 
     $relativepath = get_file_argument('file.php');
-    $forcedownload = optional_param('forcedownload', 0, PARAM_BOOL);
+    // force download for any student-submitted files to prevent XSS attacks.
+    $forcedownload = 1;
 
     // relative path must start with '/', because of backup/restore!!!
     if (!$relativepath) {
@@ -44,9 +43,6 @@
 
     $lifetime = 0;  // do not cache because students may reupload files
 
-    // force download for any student-submitted files
-    $forcedownload = 1;
-
     // security: check that the user has permission to access this file
     $haspermission = false;
     if ($attempt = get_record("question_attempts", "id", $args[0])) {
-- 
2.39.5