From f8d8b7be3f22713b8524ccca313ec563cad4e015 Mon Sep 17 00:00:00 2001 From: diml Date: Sun, 6 Apr 2008 21:01:28 +0000 Subject: [PATCH] fixing several error messages enhancing security of command injections. allowing space in pathes for files. allowing binding with tools out of moodleroot --- blocks/search/config_global.html | 14 ++++++++++++++ search/documents/chat_document.php | 14 +++++++------- search/documents/physical_doc.php | 10 ++++++---- search/documents/physical_htm.php | 1 + search/documents/physical_pdf.php | 5 +++-- search/documents/resource_document.php | 20 ++++++++++++-------- search/documents/techproject_document.php | 5 +++++ search/documents/wiki_document.php | 4 ++-- 8 files changed, 50 insertions(+), 23 deletions(-) diff --git a/blocks/search/config_global.html b/blocks/search/config_global.html index d60de30daa..be8041c74c 100644 --- a/blocks/search/config_global.html +++ b/blocks/search/config_global.html @@ -55,6 +55,20 @@ } ?>"/>

+ + + : + + + block_search_usemoodleroot)) ? 'checked="checked"' : '' ; + $notusemoodleroot = (!isset($CFG->block_search_usemoodleroot)) ? 'checked="checked"' : '' ; + ?> + value="1"/> - + value="0"/> +

+ + : diff --git a/search/documents/chat_document.php b/search/documents/chat_document.php index ff624916df..4361d32d73 100644 --- a/search/documents/chat_document.php +++ b/search/documents/chat_document.php @@ -76,7 +76,9 @@ function chat_make_link($cm_id, $start, $end) { * fetches all the records for a given session and assemble them as a unique track * we revamped here the code of report.php for making sessions, but without any output. * note that we should collect sessions "by groups" if groupmode() is SEPARATEGROUPS. -* @param chat_id the database +* @param int $chat_id the database +* @param int $fromtime +* @param int $totime * @uses CFG * @return an array of objects representing the chat sessions. */ @@ -100,8 +102,7 @@ function chat_get_session_tracks($chat_id, $fromtime = 0, $totime = 0) { foreach($messages as $aMessage){ $groupedMessages[$aMessage->groupid][] = $aMessage; } - } - else{ + } else { $groupedMessages[-1] = &$messages; } $sessiongap = 5 * 60; // 5 minutes silence means a new session @@ -128,9 +129,8 @@ function chat_get_session_tracks($chat_id, $fromtime = 0, $totime = 0) { $tracks[count($tracks) - 1]->content .= ' '.$message->message; $tracks[count($tracks) - 1]->sessionstart = $message->timestamp; } - } + } else { // we initiate a new session track (backwards) - else { $track = new Object(); $track->sessionend = $message->timestamp; $track->sessionstart = $message->timestamp; @@ -175,7 +175,7 @@ function chat_get_content_for_index(&$chat) { foreach($sessionTracks as $aTrackId => $aTrack) { foreach($aTrack->sessionusers as $aUserId){ $user = get_record('user', 'id', $aUserId); - $aTrack->authors = ($user) ? $user->firstname.' '.$user->lastname : '' ; + $aTrack->authors = ($user) ? fullname($user) : '' ; $documents[] = new ChatTrackSearchDocument(get_object_vars($aTrack), $cm->id, $chat->course, $aTrack->groupid, $context->id); } } @@ -208,8 +208,8 @@ function chat_single_document($id, $itemtype) { if ($tracks){ $aTrack = $tracks[0]; $document = new ChatTrackSearchDocument(get_object_vars($aTrack), $cm->id, $chat->course, $aTrack->groupid, $context->id); + return $document; } - return $document; } return null; } diff --git a/search/documents/physical_doc.php b/search/documents/physical_doc.php index 28356721ed..3b5f1c07ec 100644 --- a/search/documents/physical_doc.php +++ b/search/documents/physical_doc.php @@ -23,26 +23,28 @@ function get_text_for_indexing_doc(&$resource){ // SECURITY : do not allow non admin execute anything on system !! if (!isadmin($USER->id)) return; - + $moodleroot = (@$CFG->block_search_usemoodleroot) ? "{$CFG->dirroot}/" : '' ; // just call pdftotext over stdout and capture the output if (!empty($CFG->block_search_word_to_text_cmd)){ if (!file_exists("{$moodleroot}{$CFG->block_search_word_to_text_cmd}")){ - mtrace('Error with MSWord to text converter command : executable not found.'); + mtrace('Error with MSWord to text converter command : exectuable not found.'); } else{ $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference); - $text_converter_cmd = "\"{$moodleroot}{$CFG->block_search_word_to_text_cmd}\" \"$file\""; + $command = trim($CFG->block_search_word_to_text_cmd); + $text_converter_cmd = "{$moodleroot}{$command} \"$file\""; if ($CFG->block_search_word_to_text_env){ putenv($CFG->block_search_word_to_text_env); } + mtrace("Executing : $text_converter_cmd"); $result = shell_exec($text_converter_cmd); if ($result){ return mb_convert_encoding($result, 'UTF8', 'auto'); } else{ - mtrace('Error with MSWord to text converter command : execution failed.'); + mtrace('Error with MSWord to text converter command : execution failed. '); return ''; } } diff --git a/search/documents/physical_htm.php b/search/documents/physical_htm.php index 5df8524a4f..b336443ea9 100644 --- a/search/documents/physical_htm.php +++ b/search/documents/physical_htm.php @@ -39,6 +39,7 @@ function get_text_for_indexing_htm(&$resource){ // filter all html tags // $text = clean_text($text, FORMAT_PLAIN); // NOTE : this is done in ResourceSearchDocument __constructor + $text = preg_replace("//", '', $text); if (!empty($CFG->block_search_limit_index_body)){ $text = shorten($text, $CFG->block_search_limit_index_body); diff --git a/search/documents/physical_pdf.php b/search/documents/physical_pdf.php index fb48cc2ecc..8ea7abfd1a 100644 --- a/search/documents/physical_pdf.php +++ b/search/documents/physical_pdf.php @@ -28,12 +28,13 @@ function get_text_for_indexing_pdf(&$resource){ // just call pdftotext over stdout and capture the output if (!empty($CFG->block_search_pdf_to_text_cmd)){ preg_match("/^\S+/", $CFG->block_search_pdf_to_text_cmd, $matches); - if (!file_exists("{$moodleroot}{$matches[0]}")){ + if (!file_exists("{$moodleroot}/{$matches[0]}")){ mtrace('Error with pdf to text converter command : exectuable not found.'); } else{ $file = escapeshellarg($CFG->dataroot.'/'.$resource->course.'/'.$resource->reference); - $text_converter_cmd = "\"{$moodleroot}{$CFG->block_search_pdf_to_text_cmd}\" \"$file\" -"; + $command = trim($CFG->block_search_pdf_to_text_cmd); + $text_converter_cmd = "{$moodleroot}/{$command} \"$file\" -"; $result = shell_exec($text_converter_cmd); if ($result){ return $result; diff --git a/search/documents/resource_document.php b/search/documents/resource_document.php index 918bb10c8b..0258aa6b07 100644 --- a/search/documents/resource_document.php +++ b/search/documents/resource_document.php @@ -75,6 +75,7 @@ function resource_iterator() { * this function does not need a content iterator, returns all the info * itself; * @param notneeded to comply API, remember to fake the iterator array though +* @uses CFG * @return an array of searchable documents */ function resource_get_content_for_index(&$notneeded) { @@ -162,7 +163,10 @@ function resource_get_physical_file(&$resource, $context_id, $getsingle, &$docum global $CFG; // cannot index empty references - if (empty($resource->reference)) return false; + if (empty($resource->reference)){ + mtrace("Cannot index, empty reference."); + return false; + } // cannot index remote resources if (resource_is_url($resource->reference)){ @@ -173,6 +177,7 @@ function resource_get_physical_file(&$resource, $context_id, $getsingle, &$docum $fileparts = pathinfo($resource->reference); // cannot index unknown or masked types if (empty($fileparts['extension'])) { + mtrace("Cannot index without explicit extension."); return false; } @@ -196,15 +201,15 @@ function resource_get_physical_file(&$resource, $context_id, $getsingle, &$docum $resource->alltext = $function_name($resource); if (!empty($resource->alltext)){ if ($getsingle){ - return new ResourceSearchDocument(get_object_vars($resource), $context_id); - } - else{ + $single = new ResourceSearchDocument(get_object_vars($resource), $context_id); + mtrace("finished file $resource->name as {$resource->reference}"); + return $single; + } else { $documents[] = new ResourceSearchDocument(get_object_vars($resource), $context_id); } mtrace("finished file $resource->name as {$resource->reference}"); } - } - else{ + } else { mtrace("fulltext handler not found for $ext type"); } return false; @@ -257,8 +262,7 @@ function resource_single_document($id, $itemtype) { $document = resource_get_physical_file($resource, true, $context->id); if (!$document) mtrace("Warning : this document {$resource->name} will not be indexed"); return $document; - } - else{ + } else { return new ResourceSearchDocument(get_object_vars($resource), $context->id); } } diff --git a/search/documents/techproject_document.php b/search/documents/techproject_document.php index 6b36ddcf92..52976d1928 100644 --- a/search/documents/techproject_document.php +++ b/search/documents/techproject_document.php @@ -91,6 +91,7 @@ function techproject_get_content_for_index(&$techproject) { foreach($entries as $anEntry) { if ($anEntry) { if (strlen($anEntry->description) > 0) { + $anEntry->author = ''; $documents[] = new TechprojectEntrySearchDocument(get_object_vars($anEntry), $techproject->course, $context->id); } } @@ -120,18 +121,22 @@ function techproject_single_document($id, $itemtype) { switch ($itemtype){ case 'requirement':{ $entry = get_record('techproject_requirement', 'id', $id); + $entry->author = ''; break; } case 'specification':{ $entry = get_record('techproject_specification', 'id', $id); + $entry->author = ''; break; } case 'milestone':{ $entry = get_record('techproject_milestone', 'id', $id); + $entry->author = ''; break; } case 'deliverable':{ $entry = get_record('techproject_deliverable', 'id', $id); + $entry->author = ''; break; } case 'task':{ diff --git a/search/documents/wiki_document.php b/search/documents/wiki_document.php index 23a5316837..23ed2f8a36 100644 --- a/search/documents/wiki_document.php +++ b/search/documents/wiki_document.php @@ -39,7 +39,7 @@ class WikiSearchDocument extends SearchDocument { $doc->contextid = $context_id; $doc->title = $page['pagename']; - $doc->date = $page['timemodified']; + $doc->date = $page['lastmodified']; //remove '(ip.ip.ip.ip)' from wiki author field $doc->author = preg_replace('/\(.*?\)/', '', $page['author']); $doc->contents = $page['content']; @@ -138,7 +138,7 @@ function wiki_get_latest_pages(&$entry) { if ($ids = get_records('wiki_pages', 'wiki', $entry->id, '', 'distinct pagename')) { if ($pagesets = get_records('wiki_pages', 'wiki', $entry->id, '', 'distinct pagename')) { foreach ($pagesets as $aPageset) { - $pages[] = wiki_get_latest_page($entry, $aPageset->id); + $pages[] = wiki_get_latest_page($entry, $aPageset->pagename); } } else { return false; -- 2.39.5