From 9cdb766d610a68e511beac341e8795e4177ad564 Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Mon, 27 Nov 2006 08:44:38 +0000
Subject: [PATCH] Broken handling of magic quotes in admin settings and
 set_config in general MDL-7668

---
 admin/search.php          | 11 +++++++----
 admin/settings.php        |  6 +++++-
 admin/upgradesettings.php |  9 ++++++---
 lib/moodlelib.php         | 12 +++++++-----
 4 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/admin/search.php b/admin/search.php
index bb5f0c5014..a050dcf176 100644
--- a/admin/search.php
+++ b/admin/search.php
@@ -18,17 +18,20 @@ $CFG->adminsearchquery = $query;  // So we can reference it in search boxes late
 $statusmsg = '';
 
 if ($data = data_submitted()) {
-    $data = (array)$data;
+    $unslashed = array();
+    foreach($data as $key=>$value) {
+        $unslashed[$key] = stripslashes($value);
+    }
     if (confirm_sesskey()) {
         $olddbsessions = !empty($CFG->dbsessions);
         $changedsettings = search_settings(admin_get_root(), $query);
         $errors = '';
 
         foreach($changedsettings as $changedsetting) {
-            if (!isset($data['s_' . $changedsetting->name])) {
-                $data['s_' . $changedsetting->name] = ''; // needed for checkboxes
+            if (!isset($unslashed['s_' . $changedsetting->name])) {
+                $unslashed['s_' . $changedsetting->name] = ''; // needed for checkboxes
             }
-            $errors .= $changedsetting->write_setting($data['s_' . $changedsetting->name]);
+            $errors .= $changedsetting->write_setting($unslashed['s_' . $changedsetting->name]);
         }
 
         if ($olddbsessions != !empty($CFG->dbsessions)) {
diff --git a/admin/settings.php b/admin/settings.php
index 9aec4ca7a4..953dc3b1cf 100644
--- a/admin/settings.php
+++ b/admin/settings.php
@@ -58,7 +58,11 @@ $statusmsg = '';
 if ($data = data_submitted()) {
     if (confirm_sesskey()) {
         $olddbsessions = !empty($CFG->dbsessions);
-        $errors = $root->write_settings((array)$data);
+        $unslashed = array();
+        foreach($data as $key=>$value) {
+            $unslashed[$key] = stripslashes($value);
+        }
+        $errors = $root->write_settings($unslashed);
         //force logout if dbsession setting changes
         if ($olddbsessions != !empty($CFG->dbsessions)) {
             require_logout();
diff --git a/admin/upgradesettings.php b/admin/upgradesettings.php
index b860d7d21d..70666e6c34 100644
--- a/admin/upgradesettings.php
+++ b/admin/upgradesettings.php
@@ -24,14 +24,17 @@ if ($newsettingshtml == '') {
 
 // now we'll deal with the case that the admin has submitted the form with new settings
 if ($data = data_submitted()) {
-    $data = (array)$data;
+    $unslashed = array();
+    foreach($data as $key=>$value) {
+        $unslashed[$key] = stripslashes($value);
+    }
     if (confirm_sesskey()) {
         $newsettings = find_new_settings(admin_get_root());
         $errors = '';
 
         foreach($newsettings as $newsetting) {
-            if (isset($data['s_' . $newsetting->name])) {
-                $errors .= $newsetting->write_setting($data['s_' . $newsetting->name]);
+            if (isset($unslashed['s_' . $newsetting->name])) {
+                $errors .= $newsetting->write_setting($unslashed['s_' . $newsetting->name]);
             } else {
                 $errors .= $newsetting->write_setting($newsetting->defaultsetting);
             }
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 927f81b540..c22aa7b45a 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -482,7 +482,7 @@ function clean_param($param, $type) {
  * In that case it doesn't affect $CFG.
  *
  * @param string $name the key to set
- * @param string $value the value to set
+ * @param string $value the value to set (without magic quotes)
  * @param string $plugin (optional) the plugin scope
  * @uses $CFG
  * @return bool
@@ -496,17 +496,19 @@ function set_config($name, $value, $plugin=NULL) {
         $CFG->$name = $value;  // So it's defined for this invocation at least
 
         if (get_field('config', 'name', 'name', $name)) {
-            return set_field('config', 'value', $value, 'name', $name);
+            return set_field('config', 'value', addslashes($value), 'name', $name);
         } else {
+            $config = new object();
             $config->name = $name;
-            $config->value = $value;
+            $config->value = addslashes($value);
             return insert_record('config', $config);
         }
     } else { // plugin scope
         if ($id = get_field('config_plugins', 'id', 'name', $name, 'plugin', $plugin)) {
-            return set_field('config_plugins', 'value', $value, 'id', $id);
+            return set_field('config_plugins', 'value', addslashes($value), 'id', $id);
         } else {
-            $config->plugin = $plugin;
+            $config = new object();
+            $config->plugin = addslashes($plugin);
             $config->name   = $name;
             $config->value  = $value;
             return insert_record('config_plugins', $config);
-- 
2.39.5