From ad4e0fcc30ccd81664ee6242ff71c05803a607ef Mon Sep 17 00:00:00 2001 From: stronk7 Date: Thu, 7 Oct 2004 14:18:43 +0000 Subject: [PATCH] New version of this. Merged from MOODLE_14_STABLE. It won't work until moodlelib.php was merged!! Tons of conflicts!! --- files/index.php | 60 +++++++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 24 deletions(-) diff --git a/files/index.php b/files/index.php index e0b3d2beca..0145a3049b 100644 --- a/files/index.php +++ b/files/index.php @@ -1,4 +1,4 @@ -zip)) { // Use built-in php-based zip function $files = array(); foreach ($USER->filelist as $file) { - $files[] = "$basedir/$file"; + $files[] = cleardoubleslashes("$basedir/$file"); // no doubleslashes! } include_once("$CFG->libdir/pclzip/pclzip.lib.php"); - $archive = new PclZip("$basedir/$wdir/$name"); - if (($list = $archive->create($files,'',"$basedir/$wdir/")) == 0) { + $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$name")); + if (($list = $archive->create($files, PCLZIP_OPT_REMOVE_PATH, + rtrim(cleardoubleslashes("$basedir/$wdir"), "/"))) == 0) { // no double slashes and trailing slash! error($archive->errorInfo(true)); } } else { // Use external zip program @@ -410,8 +411,9 @@ if (empty($CFG->unzip)) { // Use built-in php-based unzip function include_once("$CFG->libdir/pclzip/pclzip.lib.php"); - $archive = new PclZip("$basedir/$wdir/$file"); - if (!$list = $archive->extract("$basedir/$wdir")) { + $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$file")); + if (!$list = $archive->extract(PCLZIP_OPT_PATH, cleardoubleslashes("$basedir/$wdir"), + PCLZIP_CB_PRE_EXTRACT, 'approvefile')) { error($archive->errorInfo(true)); } else { // print some output echo ""; @@ -421,7 +423,7 @@ echo ""; foreach ($list as $item) { echo ""; - $item['filename'] = str_replace("$basedir/$wdir/", "", $item['filename']); + $item['filename'] = str_replace(cleardoubleslashes("$basedir/$wdir/"), "", $item['filename']); print_cell("left", $item['filename']); if (! $item['folder']) { print_cell("right", display_size($item['size'])); @@ -471,8 +473,8 @@ $file = basename($file); include_once("$CFG->libdir/pclzip/pclzip.lib.php"); - $archive = new PclZip("$basedir/$wdir/$file"); - if (!$list = $archive->listContent("$basedir/$wdir")) { + $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$file")); + if (!$list = $archive->listContent(cleardoubleslashes("$basedir/$wdir"))) { notify($archive->errorInfo(true)); } else { @@ -513,11 +515,11 @@ echo $file; print_simple_box_end(); echo "
"; - echo "

".get_string("areyousuretorestorethisinfo")."

"; - $restore_path = "../backup/restore.php"; + echo "

".get_string("areyousuretorestorethisinfo")."

"; + $restore_path = "$CFG->wwwroot/backup/restore.php"; notice_yesno (get_string("areyousuretorestorethis"), - $restore_path."?id=".$id."&file=".$id.$wdir."/".$file, - "index.php?id=$id&wdir=$wdir&action=cancel"); + $restore_path."?id=".$id."&file=".cleardoubleslashes($id.$wdir."/".$file), + "index.php?id=$id&wdir=$wdir&action=cancel"); } else { displaydir($wdir); } @@ -537,6 +539,13 @@ /// FILE FUNCTIONS /////////////////////////////////////////////////////////// +function approvefile($p_event, &$p_header){ + if (detect_munged_arguments($p_header['filename'], 0)) { + return 0; // do not extract file!! + } else { + return 1; + } +} function fulldelete($location) { if (is_dir($location)) { @@ -580,7 +589,10 @@ function setfilelist($VARS) { foreach ($VARS as $key => $val) { if (substr($key,0,4) == "file") { $count++; - $USER->filelist[] = rawurldecode($val); + $val = rawurldecode($val); + if (!detect_munged_arguments($val, 0)) { + $USER->filelist[] = rawurldecode($val); + } } } return $count; -- 2.39.5
$strstatus