From 077fb76cd969b0b3e0de63b4e45317223fd016ea Mon Sep 17 00:00:00 2001 From: Aquilino Blanco Date: Fri, 1 Dec 2017 10:11:26 +0100 Subject: [PATCH] Several syntax and security issues fixed. --- main/document/add_link.php | 43 +++++++++++++---------------- main/document/document.php | 28 +++++++++---------- main/document/edit_document.php | 6 ++-- main/inc/lib/document.lib.php | 9 +++--- main/install/data.sql | 10 +------ main/lang/english/trad4all.inc.php | 2 ++ main/lang/galician/trad4all.inc.php | 6 ++-- main/lang/spanish/trad4all.inc.php | 2 ++ 8 files changed, 49 insertions(+), 57 deletions(-) diff --git a/main/document/add_link.php b/main/document/add_link.php index f385700a80..3989bc1abd 100644 --- a/main/document/add_link.php +++ b/main/document/add_link.php @@ -9,11 +9,11 @@ */ // Including the global initialization file -require_once '../inc/global.inc.php'; +require_once __DIR__.'/../inc/global.inc.php'; // Including additional libraries -require_once '../inc/lib/document.lib.php'; -require_once '../inc/lib/urlUtils.lib.php'; +require_once __DIR__.'/../inc/lib/document.lib.php'; +require_once __DIR__.'/../inc/lib/urlUtils.lib.php'; $fileLinkEnabled = api_get_configuration_value('enable_add_file_link'); @@ -26,6 +26,10 @@ $course_info = api_get_course_info(); if (empty($course_info)) { api_not_allowed(true); } + +if ($is_certificate_mode) { + api_not_allowed(true); +} $document_data = DocumentManager::get_document_data_by_id($_REQUEST['id'], api_get_course_id(), true); if (empty($document_data)) { @@ -34,7 +38,7 @@ if (empty($document_data)) { } else { if ($document_data['filetype'] == 'folder') { $document_id = $document_data['id']; - $path = $document_data['path']."/"; + $path = $document_data['path'].'/'; $parent_id = DocumentManager::get_document_id(api_get_course_info(), dirname($path)); } } @@ -62,18 +66,14 @@ if (api_get_group_id()) { } else { // No course admin and no group member... api_not_allowed(true); } - + // Group docs can only be uploaded in the group directory if ($to_group_id != 0 && $path == '/') { $path = $group_properties['directory'] . "/"; } // Breadcrumbs -if ($is_certificate_mode) { - $interbreadcrumb[] = array('url' => '../gradebook/'.$_SESSION['gradebook_dest'], 'name' => get_lang('Gradebook')); -} else { - $interbreadcrumb[] = array('url' => './document.php?id='.$document_id.$req_gid, 'name'=> get_lang('Documents')); -} +$interbreadcrumb[] = array('url' => './document.php?id='.$document_id.$req_gid, 'name'=> get_lang('Documents')); // Interbreadcrumb for the current directory root path if (empty($document_data['parents'])) { @@ -102,11 +102,7 @@ Display::display_header($nameTools, 'Doc'); // Actions echo '
'; // Link back to the documents overview -if ($is_certificate_mode) { - echo ''.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('CertificateOverview'), '', ICON_SIZE_MEDIUM).''; -} else { - echo ''.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('DocumentsOverview'), '', ICON_SIZE_MEDIUM).''; -} +echo ''.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('DocumentsOverview'), '', ICON_SIZE_MEDIUM).''; echo '
'; // Form to select directory @@ -115,13 +111,12 @@ $folders = DocumentManager::get_all_document_folders( $groupIid, $is_allowed_to_edit ); -if (!$is_certificate_mode) { - echo DocumentManager::build_directory_selector( - $folders, - $document_id, - (isset($group_properties['directory']) ? $group_properties['directory'] : array()) - ); -} + +echo DocumentManager::build_directory_selector( + $folders, + $document_id, + (isset($group_properties['directory']) ? $group_properties['directory'] : array()) +); $action = api_get_self().'?'.api_get_cidreq().'&id='.$document_id; @@ -142,8 +137,8 @@ $form->addButtonSend(get_lang('AddCloudLink'), 'submitDocument'); $form->addRule('name', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'client'); $form->addRule('name', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'server'); -$form->addRule('url', get_lang('langGiveURL'), 'required', null, 'client'); -$form->addRule('url', get_lang('langGiveURL'), 'required', null, 'server'); +$form->addRule('url', get_lang('PleaseEnterURL'), 'required', null, 'client'); +$form->addRule('url', get_lang('PleaseEnterURL'), 'required', null, 'server'); // Well formed url pattern (must have the protocol) $urlRegEx = URLUtils::getWellformedUrlRegex(); $form->addRule('url', get_lang('MalformedUrl'), 'regex', $urlRegEx, 'client'); diff --git a/main/document/document.php b/main/document/document.php index ac3c685117..2af54866e7 100755 --- a/main/document/document.php +++ b/main/document/document.php @@ -128,6 +128,7 @@ DocumentManager::create_directory_certificate_in_course($courseInfo); $dbl_click_id = 0; $selectcat = isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : null; $moveTo = isset($_POST['move_to']) ? Security::remove_XSS($_POST['move_to']) : null; +$moveFile = isset($_POST['move_file']) && is_int($_POST['move_file']) ? $_POST['move_file'] : null; /* Constants and variables */ $userId = api_get_user_id(); @@ -606,7 +607,7 @@ if (isset($document_id) && empty($action)) { $groupIid ); - if (!empty($document_data['filetype']) && $document_data['filetype'] == 'file' || $document_data['filetype'] == "link") { + if (!empty($document_data['filetype']) && $document_data['filetype'] == 'file' || $document_data['filetype'] == 'link') { if ($visibility && api_is_allowed_to_session_edit()) { $url = api_get_path(WEB_COURSE_PATH). $courseInfo['path'].'/document'.$document_data['path'].'?' @@ -1114,9 +1115,9 @@ if ($isAllowedToEdit || $group_member_with_upload_rights || } } - if (!empty($moveTo) && isset($_POST['move_file'])) { + if (!empty($moveTo) && isset($moveFile)) { if (!$isAllowedToEdit) { - if (DocumentManager::check_readonly($courseInfo, api_get_user_id(), $_POST['move_file'])) { + if (DocumentManager::check_readonly($courseInfo, api_get_user_id(), $moveFile)) { api_not_allowed(true); } } @@ -1129,7 +1130,7 @@ if ($isAllowedToEdit || $group_member_with_upload_rights || // Get the document data from the ID $document_to_move = DocumentManager::get_document_data_by_id( - $_POST['move_file'], + $moveFile, api_get_course_id(), false, $sessionId @@ -1138,11 +1139,10 @@ if ($isAllowedToEdit || $group_member_with_upload_rights || // Security fix: make sure they can't move files that are not in the document table if (!empty($document_to_move)) { if ($document_to_move['filetype'] == 'link') { - $real_path_target = $base_work_dir.$_POST['move_to'].'/'; - if (!DocumentManager::cloudLinkExists($_course, $_POST['move_to'], $document_to_move['comment'])) { - $doc_id = $_POST['move_file']; - - DocumentManager::updateDBInfoCloudLink($document_to_move['path'], $_POST['move_to'].'/', $doc_id); + $real_path_target = $base_work_dir.$moveTo.'/'; + if (!DocumentManager::cloudLinkExists($_course, $moveTo, $document_to_move['comment'])) { + $doc_id = $moveFile; + DocumentManager::updateDBInfoCloudLink($document_to_move['path'], $moveTo.'/', $doc_id); //update database item property api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'FileMoved', api_get_user_id(), $to_group_id, null, null, null, $session_id); @@ -1161,8 +1161,8 @@ if ($isAllowedToEdit || $group_member_with_upload_rights || ); } // Set the current path - $curdirpath = $_POST['move_to']; - $curdirpathurl = urlencode($_POST['move_to']); + $curdirpath = $moveTo; + $curdirpathurl = urlencode($moveTo); } else { $real_path_target = $base_work_dir.$moveTo.'/'.basename($document_to_move['path']); $fileExist = false; @@ -1177,7 +1177,7 @@ if ($isAllowedToEdit || $group_member_with_upload_rights || ); //update database item property - $doc_id = $_POST['move_file']; + $doc_id = $moveFile; if (is_dir($real_path_target)) { api_item_property_update( $courseInfo, @@ -1214,8 +1214,8 @@ if ($isAllowedToEdit || $group_member_with_upload_rights || } // Set the current path - $curdirpath = $_POST['move_to']; - $curdirpathurl = urlencode($_POST['move_to']); + $curdirpath = $moveTo; + $curdirpathurl = urlencode($moveTo); } else { if ($fileExist) { if (is_dir($real_path_target)) { diff --git a/main/document/edit_document.php b/main/document/edit_document.php index 24ea12280c..82a54318c9 100755 --- a/main/document/edit_document.php +++ b/main/document/edit_document.php @@ -28,7 +28,7 @@ use ChamiloSession as Session; */ require_once __DIR__.'/../inc/global.inc.php'; -require_once '../inc/lib/urlUtils.lib.php'; +require_once __DIR__.'/../inc/lib/urlUtils.lib.php'; $groupRights = Session::read('group_member_with_upload_rights'); @@ -469,8 +469,8 @@ if ($owner_id == api_get_user_id() || if ($file_type == 'link') { $form->addRule('title', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'client'); $form->addRule('title', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'server'); - $form->addRule('comment', get_lang('langGiveURL'), 'required', null, 'client'); - $form->addRule('comment', get_lang('langGiveURL'), 'required', null, 'server'); + $form->addRule('comment', get_lang('PleaseEnterURL'), 'required', null, 'client'); + $form->addRule('comment', get_lang('PleaseEnterURL'), 'required', null, 'server'); // Well formed url pattern (must have the protocol) $urlRegEx = URLUtils::getWellformedUrlRegex(); $form->addRule('comment', get_lang('MalformedUrl'), 'regex', $urlRegEx, 'client'); diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php index e868f6ffce..73b808107c 100755 --- a/main/inc/lib/document.lib.php +++ b/main/inc/lib/document.lib.php @@ -5673,7 +5673,7 @@ class DocumentManager $basename = substr(strrchr($basename, '.'), 1); } elseif ($type == 'link') { $icon = 'clouddoc.png'; - $basename = 'Cloud link'; + $basename = get_lang('CloudFileLink'); } else { if ($path == '/shared_folder') { $icon = 'folder_users.png'; @@ -6757,7 +6757,7 @@ class DocumentManager return false; } - $document_id = $id; + $document_id = intval($id); $file_deleted_from_db = false; @@ -6781,13 +6781,12 @@ class DocumentManager * @param array $_course * @param string $path * @param string $url - * @return int id of link / false if no link found - * @deprecated + * @return int link's id / false if no link found */ public static function getCloudLinkId($_course, $path, $url) { $TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT); - $course_id = $_course['real_id']; + $course_id = int_val($_course['real_id']); $path = Database::escape_string($path); if (substr($path, -1) != '/') { diff --git a/main/install/data.sql b/main/install/data.sql index 380a87664e..7bdb11f446 100644 --- a/main/install/data.sql +++ b/main/install/data.sql @@ -1960,12 +1960,4 @@ VALUES INSERT INTO settings_current (variable, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('allow_download_documents_by_api_key', 'radio', 'WebServices', 'false', 'AllowDownloadDocumentsByApiKeyTitle', 'AllowDownloadDocumentsByApiKeyComment', '', NULL, 1); INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_download_documents_by_api_key', 'true', 'Yes'); -INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_download_documents_by_api_key', 'false', 'No'); - --- Cloud File Links -INSERT INTO `settings_options` (`variable`, `value`, `display_text`) VALUES -('enable_add_file_link', 'true', 'Yes'), -('enable_add_file_link', 'false', 'No'); - -INSERT INTO `settings_current` (`variable`, `subkey`, `type`, `category`, `selected_value`, `title`, `comment`, `scope`, `subkeytext`, `access_url`, `access_url_changeable`, `access_url_locked`) VALUES -('enable_add_file_link', NULL, 'radio', 'Tools', 'false', 'enable_add_file_link_title', 'enable_add_file_link_comment', NULL, NULL, 1, 0, 0); +INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_download_documents_by_api_key', 'false', 'No'); \ No newline at end of file diff --git a/main/lang/english/trad4all.inc.php b/main/lang/english/trad4all.inc.php index 40d24b70b7..8fac4eb2d7 100644 --- a/main/lang/english/trad4all.inc.php +++ b/main/lang/english/trad4all.inc.php @@ -8069,6 +8069,7 @@ $Diagram = "Diagram"; $CareerXDoesntHaveADiagram = "Career %s doesn't have a diagram."; // Cloud files in documents strings +$CloudFileLink = "Cloud file link"; $enable_add_file_link_title = 'Enable adding cloud files links'; $enable_add_file_link_comment = 'Tool for adding cloud files\' links from external storage sites (Dropbox, Google Drive...) at Documents.'; $UrlAlreadyExists = "It already exists one equal URL in this folder."; @@ -8079,6 +8080,7 @@ $CloudLinkMoved = "Cloud file link moved."; $CloudLinkDeleteError = "Error deleting cloud file link."; $CloudLinkAdded = "Cloud file link added."; $PleaseEnterCloudLinkName = "Please, enter a name for the cloud file link."; +$PleaseEnterURL = "Please, enter the URL for the cloud file link."; $MalformedUrl = "URL field format not valid. Expected format example: http://dropbox.com/sh/loremipsum/loremipsum?dl=0"; $CloudLinkModified = "Cloud file link modified."; $NotValidDomain = "Not valid domain. It must be one of these:"; diff --git a/main/lang/galician/trad4all.inc.php b/main/lang/galician/trad4all.inc.php index 4890d19215..52bd0be503 100644 --- a/main/lang/galician/trad4all.inc.php +++ b/main/lang/galician/trad4all.inc.php @@ -7297,8 +7297,9 @@ $StudentPublicationSelectionForGradebookTitle = "Tarefas consideradas para avali $StudentPublicationSelectionForGradebookComment = "Na ferramenta de tarefas, os estudantes poden subir máis dun arquivo. No caso de haber máis dun arquivo do mesmo estudante para unha soa tarefa, cal destes debe ser considerado para a nota nas avaluacións? Isto depende da súa metodoloxía. Seleccione 'primeiro' para poñer o acento sobre a atención ao detalle (como entregar a tempo e o traballo finalizado a primeira vez). Use 'último' para poner o acento sobre o traballo colaborativo e a adaptabilidade."; // Cloud files in documents strings -$enable_add_file_link_title = 'Permitir engadir enlaces a ficheiros na nube'; -$enable_add_file_link_comment = 'Ferramenta para engadir enlaces a ficheiros situados en sitios de almacenamento externo (Dropbox, Google Drive, etc...) en Documentos.'; +$CloudFileLink = "Enlace a ficheiro na nube"; +$enable_add_file_link_title = "Permitir engadir enlaces a ficheiros na nube"; +$enable_add_file_link_comment = "Ferramenta para engadir enlaces a ficheiros situados en sitios de almacenamento externo (Dropbox, Google Drive, etc...) en Documentos."; $UrlAlreadyExists = "Xa existe unha URL igual neste directorio."; $ErrorAddLink = "Produciuse un erro engadindo o enlace."; $AddCloudLink = "Engadir enlace a un ficheiro na nube"; @@ -7307,6 +7308,7 @@ $CloudLinkMoved = "Enlace a ficheiro na nube movido."; $CloudLinkDeleteError = "Erro ao eliminar o enlace ao ficheiro na nube."; $CloudLinkAdded = "Enlace a ficheiro na nube engadido."; $PleaseEnterCloudLinkName = "Por favor, introduza un nome para o enlace ao ficheiro na nube."; +$PleaseEnterURL = "Por favor, introduza a URL do ficheiro na nube."; $MalformedUrl = "Formato do campo URL non válido. Exemplo do formato esperado: http://dropbox.com/sh/loremipsum/loremipsum?dl=0"; $CloudLinkModified = "Enlace a ficheiro na nube modificado."; $NotValidDomain = "Dominio non válido. Debe ser un dos seguintes:"; diff --git a/main/lang/spanish/trad4all.inc.php b/main/lang/spanish/trad4all.inc.php index 83a88de814..ebe602ee37 100644 --- a/main/lang/spanish/trad4all.inc.php +++ b/main/lang/spanish/trad4all.inc.php @@ -8083,6 +8083,7 @@ $BestScoreNotInLearningPath = "Mejor nota fuera de lecciones"; $StudentXHadEnoughSkillsToGetSkillXToAssignClickHereX = "El alumno %s tiene suficiente competencias secundarias para obtener la competencia %s. Para asignar esta competencia, es posible ir aquí : %s"; // Cloud files in documents strings +$CloudFileLink = "Enlace a fichero en la nube"; $enable_add_file_link_title = 'Permitir añadir enlaces a ficheros en la nube'; $enable_add_file_link_comment = 'Herramienta para añadir enlaces a ficheros situados en sitios de almacenamiento externo (Dropbox, Google Drive, etc...) en Documentos.'; $UrlAlreadyExists = "Ya existe una URL igual en este directorio."; @@ -8093,6 +8094,7 @@ $CloudLinkMoved = "Enlace a fichero en la nube movido."; $CloudLinkDeleteError = "Error al eliminar el enlace al fichero en la nube."; $CloudLinkAdded = "Enlace a fichero en la nube añadido."; $PleaseEnterCloudLinkName = "Por favor, introduzca un nombre para el enlace al fichero en la nube."; +$PleaseEnterURL = "Por favor, introduzca la URL del fichero en la nube."; $MalformedUrl = "Formato del campo URL no válido. Ejemplo del formato esperado: http://dropbox.com/sh/loremipsum/loremipsum?dl=0"; $CloudLinkModified = "Enlace a fichero en la nube modificado."; $NotValidDomain = "Dominio no válido. Debe de ser uno de los siguientes:";