Remove "stric"t option the api_replace_dangerous_char() is always strict.

11 years ago · 110b31075d
parent 101ad73eb0
commit 110b31075d
19 changed files with 67 additions and 49 deletions
--- a/main/admin/configure_homepage.php
+++ b/main/admin/configure_homepage.php
@ -406,7 +406,7 @@ if (!empty($action)) {
 				} else {
 					// New links are added as new files in the home/ directory
 					if ($action == 'insert_link' || $action == 'insert_tabs' || empty($filename) || strstr($filename, '/') || !strstr($filename, '.html')) {
-						$filename = api_replace_dangerous_char($link_name, 'strict').'.html';
+						$filename = api_replace_dangerous_char($link_name).'.html';
 					}

 					// "home_" prefix for links are renamed to "user_" prefix (to avoid name clash with existing home page files)
--- a/main/auth/profile.php
+++ b/main/auth/profile.php
@ -322,7 +322,8 @@ function is_profile_editable() {
 * @param    $user_id    User id
 * @return    The filename of the new production or FALSE if the upload has failed
 */
-function upload_user_production($user_id) {
+function upload_user_production($user_id)
+{
    $production_repository = UserManager::getUserPathById($user_id, 'system');

    if (!file_exists($production_repository)) {
@ -372,12 +373,12 @@ function check_user_email($email) {
 }

 /*        MAIN CODE */
-$filtered_extension         = false;
-$update_success             = false;
-$upload_picture_success     = false;
-$upload_production_success  = false;
-$msg_fail_changue_email     = false;
-$msg_is_not_password        = false;
+$filtered_extension = false;
+$update_success = false;
+$upload_picture_success = false;
+$upload_production_success = false;
+$msg_fail_changue_email = false;
+$msg_is_not_password = false;

 if (is_platform_authentication()) {
    if (!empty($_SESSION['change_email'])) {
--- a/main/document/create_document.php
+++ b/main/document/create_document.php
@ -252,8 +252,7 @@ $form->addElement('hidden', 'title_edited', 'false', 'id="title_edited"');
 */
 function document_exists($filename) {
    global $dir;
-    // Clean up the name, only ASCII characters should stay. (and strict)
-    $cleanName = api_replace_dangerous_char($filename, 'strict');
+    $cleanName = api_replace_dangerous_char($filename);

    // No "dangerous" files
    $cleanName = disable_dangerous_file($cleanName);
--- a/main/document/save_pixlr.php
+++ b/main/document/save_pixlr.php
@ -68,7 +68,7 @@ $contents = file_get_contents($urlcontents_to_save);//replace line 45.
 //a bit title security
 $filename = addslashes(trim($filename));
 $filename = Security::remove_XSS($filename);
-$filename = api_replace_dangerous_char($filename, 'strict');
+$filename = api_replace_dangerous_char($filename);
 $filename = disable_dangerous_file($filename);

 if (strlen(trim($filename))==0) {
--- a/main/document/upload.php
+++ b/main/document/upload.php
@ -179,7 +179,10 @@ if (empty($document_data['parents'])) {
    $interbreadcrumb[] = array('url' => '#', 'name' => $document_data['title']);
 } else {
    foreach ($document_data['parents'] as $document_sub_data) {
-        $interbreadcrumb[] = array('url' => $document_sub_data['document_url'], 'name' => $document_sub_data['title']);
+        $interbreadcrumb[] = array(
+            'url' => $document_sub_data['document_url'],
+            'name' => $document_sub_data['title'],
+        );
    }
 }

@ -296,7 +299,7 @@ $defaults = array(

 $form->setDefaults($defaults);

-$simple_form = $form->return_form();
+$simple_form = $form->returnForm();

 $url = api_get_path(WEB_AJAX_PATH).'document.ajax.php?'.api_get_cidreq().'&a=upload_file';
 $multiple_form =  get_lang('ClickToSelectOrDragAndDropMultipleFilesOnTheUploadField').'<br />';
@ -326,4 +329,5 @@ if ($nav_info ['name'] == 'Internet Explorer') {
    $headers = array(get_lang('Send') , get_lang('Send').' ('.get_lang('Simple').')');
    echo Display::tabs($headers, array($multiple_form, $simple_form),'tabs');
 }
+
 Display::display_footer();
--- a/main/exercice/hotpotatoes.php
+++ b/main/exercice/hotpotatoes.php
@ -100,7 +100,7 @@ if ((api_is_allowed_to_edit(null, true)) && (($finish == 0) || ($finish == 2)))

            if ($finish == 0) {
                // Generate new test folder if on first step of file upload.
-                $filename = api_replace_dangerous_char(trim($_FILES['userFile']['name']), 'strict');
+                $filename = api_replace_dangerous_char(trim($_FILES['userFile']['name']));
                $fld = GenerateHpFolder($document_sys_path.$uploadPath.'/');

                //$doc_id = add_document($_course, '/HotPotatoes_files/'.$fld, 'folder', 0, $fld);
--- a/main/inc/lib/groupmanager.lib.php
+++ b/main/inc/lib/groupmanager.lib.php
@ -199,7 +199,7 @@ class GroupManager
            $sql = "UPDATE $table_group SET id = iid WHERE iid = $lastId";
            Database::query($sql);

-            $desired_dir_name= '/'.api_replace_dangerous_char($name,'strict').'_groupdocs';
+            $desired_dir_name= '/'.api_replace_dangerous_char($name).'_groupdocs';
            $my_path = api_get_path(SYS_COURSE_PATH) . $currentCourseRepository . '/document';

            $newFolderData = create_unexisting_directory(
--- a/main/inc/lib/jpegcam/webcam_receiver.php
+++ b/main/inc/lib/jpegcam/webcam_receiver.php
@ -31,7 +31,7 @@ if ($webcamuserid!= api_get_user_id() || api_get_user_id()==0 || $webcamuserid==
 $webcamname = Security::remove_XSS($webcamname);
 $webcamname = Database::escape_string($webcamname);
 $webcamname = addslashes(trim($webcamname));
-$webcamname = api_replace_dangerous_char($webcamname, 'strict');
+$webcamname = api_replace_dangerous_char($webcamname);
 $webcamname = disable_dangerous_file($webcamname);
 $webcamdir = Security::remove_XSS($webcamdir);

--- a/main/inc/lib/nanogong/receiver.php
+++ b/main/inc/lib/nanogong/receiver.php
@ -42,7 +42,7 @@ $_course = api_get_course_info($course_code);
 $filename = trim($_GET['filename']);
 $filename = Security::remove_XSS($filename);
 $filename = Database::escape_string($filename);
-$filename = api_replace_dangerous_char($filename, $strict = 'loose'); // or strict
+$filename = api_replace_dangerous_char($filename);
 $filename = disable_dangerous_file($filename);

 $title = trim(str_replace('_chnano_.', '.', $filename)); //hide nanogong wav tag at title
--- a/main/inc/lib/social.lib.php
+++ b/main/inc/lib/social.lib.php
@ -598,14 +598,14 @@ class SocialManager extends UserManager
        );

        // get count unread message and total invitations
-        $count_unread_message = MessageManager::get_number_of_messages(true);
-        $count_unread_message = !empty($count_unread_message) ? Display::badge($count_unread_message) : null;
+        /*$count_unread_message = MessageManager::get_number_of_messages(true);
+        $count_unread_message = !empty($count_unread_message) ? Display::badge($count_unread_message) : null;*/

-        $number_of_new_messages_of_friend = SocialManager::get_message_number_invitation_by_user_id(api_get_user_id());
+        /*$number_of_new_messages_of_friend = SocialManager::get_message_number_invitation_by_user_id(api_get_user_id());
        $group_pending_invitations = GroupPortalManager::get_groups_by_user(api_get_user_id(), GROUP_USER_PERMISSION_PENDING_INVITATION, false);
        $group_pending_invitations = count($group_pending_invitations);
        $total_invitations = $number_of_new_messages_of_friend + $group_pending_invitations;
-        $total_invitations = (!empty($total_invitations) ? Display::badge($total_invitations) : '');
+        $total_invitations = (!empty($total_invitations) ? Display::badge($total_invitations) : '');*/

        $html = '<div class="avatar-profile">';
        if (in_array($show, $show_groups) && !empty($group_id)) {
@ -819,6 +819,7 @@ class SocialManager extends UserManager
                    }
                }
            }
+
            $html .= '</ul></div></div>';

            if ($show_full_profile && $user_id == intval(api_get_user_id())) {
@ -834,17 +835,20 @@ class SocialManager extends UserManager
                        }
                        $i++;
                    }
-                    //to avoid repeted courses
+                    // To avoid repeated courses
                    $course_list_code = array_unique_dimensional($course_list_code);
                }

-                //-----Announcements
+                // Announcements
                $my_announcement_by_user_id = intval($user_id);
                $announcements = array();
                foreach ($course_list_code as $course) {
                    $course_info = api_get_course_info($course['code']);
                    if (!empty($course_info)) {
-                        $content = AnnouncementManager::get_all_annoucement_by_user_course($course_info['code'], $my_announcement_by_user_id);
+                        $content = AnnouncementManager::get_all_annoucement_by_user_course(
+                            $course_info['code'],
+                            $my_announcement_by_user_id
+                        );

                        if (!empty($content)) {
                            $url = Display::url(Display::return_icon('announcement.png', get_lang('Announcements')).$course_info['name'].' ('.$content['count'].')', api_get_path(WEB_CODE_PATH).'announcements/announcements.php?cidReq='.$course['code']);
@ -867,10 +871,19 @@ class SocialManager extends UserManager
        if ($show_delete_account_button) {
            $html .= '<div class="sidebar-nav"><ul><li>';
            $url = api_get_path(WEB_CODE_PATH).'auth/unsubscribe_account.php';
-            $html .= Display::url(Display::return_icon('delete.png', get_lang('Unsubscribe'), array(), ICON_SIZE_TINY).get_lang('Unsubscribe'), $url);
+            $html .= Display::url(
+                Display::return_icon(
+                    'delete.png',
+                    get_lang('Unsubscribe'),
+                    array(),
+                    ICON_SIZE_TINY
+                ).get_lang('Unsubscribe'),
+                $url
+            );
            $html .= '</li></ul></div>';
        }
        $html .= '';
+
        return $html;
    }

--- a/main/inc/lib/svg-edit/extensions/savefile_config.php
+++ b/main/inc/lib/svg-edit/extensions/savefile_config.php
@ -68,7 +68,7 @@ $saveDir=$dirBaseDocuments.$_SESSION['draw_dir'];

 $filename = addslashes(trim($filename));
 $filename = Security::remove_XSS($filename);
-$filename = api_replace_dangerous_char($filename, 'strict');
+$filename = api_replace_dangerous_char($filename);
 $filename = disable_dangerous_file($filename);

 // a bit extension
--- a/main/inc/lib/wami-recorder/record_document.php
+++ b/main/inc/lib/wami-recorder/record_document.php
@ -29,7 +29,7 @@ if ($wamiuserid != api_get_user_id() || api_get_user_id() == 0 || $wamiuserid ==
 // Clean
 $waminame = Security::remove_XSS($waminame);
 $waminame = Database::escape_string($waminame);
-$waminame = api_replace_dangerous_char($waminame, 'strict');
+$waminame = api_replace_dangerous_char($waminame);
 $waminame = disable_dangerous_file($waminame);
 $wamidir  = Security::remove_XSS($wamidir);
 $content = file_get_contents('php://input');
--- a/main/inc/local.inc.php
+++ b/main/inc/local.inc.php
@ -109,7 +109,7 @@
 *    @package chamilo.include
 */

-// verified if exists the username and password in session current
+// Verified if exists the username and password in session current

 use ChamiloSession as Session;

@ -756,13 +756,13 @@ if (isset($uidReset) && $uidReset) {
        $track_e_login = Database::get_main_table(TABLE_STATISTIC_TRACK_E_LOGIN);

        $sql = "SELECT user.*, a.user_id is_admin, login.login_date
-            FROM $user_table
-            LEFT JOIN $admin_table a
-            ON user.user_id = a.user_id
-            LEFT JOIN $track_e_login login
-            ON user.user_id  = login.login_user_id
-            WHERE user.user_id = '".$_user['user_id']."'
-            ORDER BY login.login_date DESC LIMIT 1";
+                FROM $user_table
+                LEFT JOIN $admin_table a
+                ON user.user_id = a.user_id
+                LEFT JOIN $track_e_login login
+                ON user.user_id  = login.login_user_id
+                WHERE user.user_id = '".$_user['user_id']."'
+                ORDER BY login.login_date DESC LIMIT 1";

        $result = Database::query($sql);

@ -775,7 +775,7 @@ if (isset($uidReset) && $uidReset) {
            $_user['lastLogin'] = api_strtotime($uData['login_date'], 'UTC');

            $is_platformAdmin = (bool) (! is_null($uData['is_admin']));
-            $is_allowedCreateCourse = (bool) (($uData ['status'] == COURSEMANAGER) or (api_get_setting('drhCourseManagerRights') and $uData['status'] == DRH));
+            $is_allowedCreateCourse = (bool) (($uData ['status'] == COURSEMANAGER) || (api_get_setting('drhCourseManagerRights') && $uData['status'] == DRH));
            ConditionalLogin::check_conditions($uData);

            Session::write('_user', $_user);
@ -827,7 +827,8 @@ if (isset($cidReset) && $cidReset) {

            if (!empty($_GET['id_session'])) {
                $_SESSION['id_session'] = intval($_GET['id_session']);
-                $sql = 'SELECT name FROM '.$tbl_session . ' WHERE id="'.intval($_SESSION['id_session']) . '"';
+                $sql = 'SELECT name FROM '.$tbl_session . '
+                        WHERE id="'.intval($_SESSION['id_session']) . '"';
                $rs = Database::query($sql);
                list($_SESSION['session_name']) = Database::fetch_array($rs);
            } else {
@ -913,7 +914,7 @@ if (isset($cidReset) && $cidReset) {
            $sql = 'SELECT name FROM '.$tbl_session . ' WHERE id="'.intval($_SESSION['id_session']). '"';
            $rs = Database::query($sql);
            list($_SESSION['session_name']) = Database::fetch_array($rs);
-            $_SESSION['id_session']         = intval($_GET['id_session']);
+            $_SESSION['id_session'] = intval($_GET['id_session']);
        }


--- a/main/newscorm/aicc.class.php
+++ b/main/newscorm/aicc.class.php
@ -352,7 +352,7 @@ class aicc extends learnpath
        if ($this->debug > 0) { error_log('New LP - aicc::import_package() - Zip file path = '.$zip_file_path.', zip file name = '.$zip_file_name, 0); }
        $course_rel_dir  = api_get_course_path().'/scorm'; // Scorm dir web path starting from /courses
        $course_sys_dir = api_get_path(SYS_COURSE_PATH).$course_rel_dir; // The absolute system path of this course.
-        $current_dir = api_replace_dangerous_char(trim($current_dir), 'strict'); // Current dir we are in, inside scorm/
+        $current_dir = api_replace_dangerous_char(trim($current_dir)); // Current dir we are in, inside scorm/
        if ($this->debug > 0) { error_log('New LP - aicc::import_package() - Current_dir = '.$current_dir, 0); }

         //$uploaded_filename = $_FILES['userFile']['name'];
@ -365,7 +365,7 @@ class aicc extends learnpath
        $this->zipname = $file_base_name; // Save for later in case we don't have a title.

        if ($this->debug > 0) { error_log('New LP - aicc::import_package() - Base file name is : '.$file_base_name, 0); }
-        $new_dir = api_replace_dangerous_char(trim($file_base_name),'strict');
+        $new_dir = api_replace_dangerous_char(trim($file_base_name));
        $this->subdir = $new_dir;
        if($this->debug > 0) { error_log('New LP - aicc::import_package() - Subdir is first set to : '.$this->subdir, 0); }

--- a/main/newscorm/lp_upload.php
+++ b/main/newscorm/lp_upload.php
@ -14,7 +14,7 @@ $course_sys_dir = api_get_path(SYS_COURSE_PATH).$course_dir;
 if (empty($_POST['current_dir'])) {
    $current_dir = '';
 } else {
-    $current_dir = api_replace_dangerous_char(trim($_POST['current_dir']), 'strict');
+    $current_dir = api_replace_dangerous_char(trim($_POST['current_dir']));
 }
 $uncompress = 1;

@ -43,7 +43,7 @@ if (isset($_POST) && $is_error) {
    $extension = $info['extension'];
    $file_base_name = str_replace('.'.$extension, '', $filename);

-    $new_dir = api_replace_dangerous_char(trim($file_base_name), 'strict');
+    $new_dir = api_replace_dangerous_char(trim($file_base_name));
    $type = learnpath::get_package_type($_FILES['user_file']['tmp_name'], $_FILES['user_file']['name']);

    $proximity = 'local';
@ -116,7 +116,7 @@ if (isset($_POST) && $is_error) {
    $filename = $info['basename'];
    $extension = $info['extension'];
    $file_base_name = str_replace('.'.$extension, '', $filename);
-    $new_dir = api_replace_dangerous_char(trim($file_base_name), 'strict');
+    $new_dir = api_replace_dangerous_char(trim($file_base_name));

    $result = learnpath::verify_document_size($s);
    if ($result == true) {
--- a/main/newscorm/openoffice_document.class.php
+++ b/main/newscorm/openoffice_document.class.php
@ -53,7 +53,7 @@ abstract class OpenofficeDocument extends learnpath
        $this->base_work_dir = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
        ///learning_path/ppt_dirname directory
        $this->created_dir = substr($result['dir'], 0, strlen($result['dir']) -1);
-        $this->file_path = $this->created_dir.'/'.api_replace_dangerous_char($file['name'], 'strict');
+        $this->file_path = $this->created_dir.'/'.api_replace_dangerous_char($file['name']);

        //var_dump($this->file_name, $this->file_path, $this->base_work_dir, $this->created_dir);

--- a/main/newscorm/scorm.class.php
+++ b/main/newscorm/scorm.class.php
@ -520,7 +520,7 @@ class scorm extends learnpath
        }
        $course_rel_dir = api_get_course_path().'/scorm'; // scorm dir web path starting from /courses
        $course_sys_dir = api_get_path(SYS_COURSE_PATH).$course_rel_dir; // Absolute system path for this course.
-        $current_dir = api_replace_dangerous_char(trim($current_dir),'strict'); // Current dir we are in, inside scorm/
+        $current_dir = api_replace_dangerous_char(trim($current_dir)); // Current dir we are in, inside scorm/

        if ($this->debug > 1) {
            error_log( 'New LP - import_package() - current_dir = ' . $current_dir, 0);
@ -535,7 +535,7 @@ class scorm extends learnpath
        $this->zipname = $file_base_name; // Save for later in case we don't have a title.

        if ($this->debug > 1) { error_log("New LP - base file name is : ".$file_base_name, 0); }
-        $new_dir = api_replace_dangerous_char(trim($file_base_name),'strict');
+        $new_dir = api_replace_dangerous_char(trim($file_base_name));
        $this->subdir = $new_dir;
        if ($this->debug > 1) { error_log("New LP - subdir is first set to : ".$this->subdir, 0); }

--- a/main/wiki/wiki.inc.php
+++ b/main/wiki/wiki.inc.php
@ -1771,7 +1771,7 @@ class Wiki
        }

        $exportDir = api_get_path(SYS_COURSE_PATH).api_get_course_path(). '/document'.$groupPath;
-        $exportFile = api_replace_dangerous_char($wikiTitle, 'strict') . $groupPart;
+        $exportFile = api_replace_dangerous_char($wikiTitle) . $groupPart;

        //$clean_wikiContents = trim(preg_replace("/\[\[|\]\]/", " ", $wikiContents));
        //$array_clean_wikiContents= explode('|', $clean_wikiContents);
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@ -3552,7 +3552,7 @@ function addWorkComment($courseInfo, $userId, $parentWork, $work, $data)
        if (!empty($workParent)) {
            $uploadDir = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work'.$workParent['url'];
            $newFileName = 'comment_'.$commentId.'_'.php2phps(
-                api_replace_dangerous_char($fileData['name'], 'strict')
+                api_replace_dangerous_char($fileData['name'])
            );
            $newFilePath = $uploadDir.'/'.$newFileName;
            $result = move_uploaded_file($fileData['tmp_name'], $newFilePath);
@ -3700,7 +3700,7 @@ function uploadWork($my_folder_data, $_course)
    $filename = add_ext_on_mime(stripslashes($_FILES['file']['name']), $_FILES['file']['type']);

    // Replace dangerous characters
-    $filename = api_replace_dangerous_char($filename, 'strict');
+    $filename = api_replace_dangerous_char($filename);

    // Transform any .php file in .phps fo security
    $filename = php2phps($filename);