chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20700] minor change insert with remove_XSS in directory work see FS#3909

Browse Source
skala
Carlos Vargas 16 years ago
parent f065024ec0
commit 12137080c7
2 changed files with 16 additions and 19 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 21
      main/work/work.lib.php
  2. 14
      main/work/work.php

21
main/work/work.lib.php
Unescape View File

@ -1,4 +1,4 @@
<?php //$Id: work.lib.php 20605 2009-05-13 20:44:24Z cvargas1 $
<?php //$Id: work.lib.php 20700 2009-05-15 16:35:50Z cvargas1 $
/* For licensing terms, see /dokeos_license.txt */
/**
* @package dokeos.work
@ -6,7 +6,7 @@
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default.
* @author Roan Embrechts, code refactoring and virtual course support
* @author Frederic Vauthier, directories management
* @version $Id: work.lib.php 20605 2009-05-13 20:44:24Z cvargas1 $
* @version $Id: work.lib.php 20700 2009-05-15 16:35:50Z cvargas1 $
*/
/**
* Displays action links (for admins, authorized groups members and authorized students)
@ -517,14 +517,10 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou
Display::display_confirmation_message(get_lang('FolderEdited'));
$values = $form_folder -> exportValues();
$values = $values['my_group'];
/*$dir_name = disable_dangerous_file($values['dir_name']);*/
$dir_name =disable_dangerous_file($values['dir_name']);
$dir_name =replace_accents($values['dir_name']);
$dir_name=Security::remove_XSS($dir_name);
$values = $values['my_group'];
$dir_name = disable_dangerous_file($values['dir_name']);
$dir_name = replace_accents($values['dir_name']);
$dir_name = replace_dangerous_char($values['dir_name']);
update_dir_name($mydir,$dir_name);
$mydir = $my_sub_dir.$dir_name;
$dir = $dir_name;
@ -1023,8 +1019,9 @@ function update_dir_name($path, $new_name) {
} else {
$path_to_dir .= '/';
}
$new_name=replace_accents($new_name);
$new_name=disable_dangerous_file($new_name);
$new_name_filter=Security::remove_XSS($new_name);
$new_name=replace_accents($new_name_filter);
$new_name=disable_dangerous_file($new_name_filter);
//$new_name=replace_dangerous_char($new_name);
my_rename($base_work_dir.'/'.$path,$new_name);

14
main/work/work.php
Unescape View File

@ -1,4 +1,4 @@
<?php //$Id: work.php 20605 2009-05-13 20:44:24Z cvargas1 $
<?php //$Id: work.php 20700 2009-05-15 16:35:50Z cvargas1 $
/* For licensing terms, see /dokeos_license.txt */
/**
* @package dokeos.work
@ -6,7 +6,7 @@
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default.
* @author Roan Embrechts, code refactoring and virtual course support
* @author Frederic Vauthier, directories management
* @version $Id: work.php 20605 2009-05-13 20:44:24Z cvargas1 $
* @version $Id: work.php 20700 2009-05-15 16:35:50Z cvargas1 $
*
* @todo refactor more code into functions, use quickforms, coding standards, ...
*/
@ -529,10 +529,10 @@ if (api_is_allowed_to_edit(false,true)) {
include_once (api_get_path(LIBRARY_PATH) . "fileUpload.lib.php");
$added_slash = (substr($cur_dir_path, -1, 1) == '/') ? '' : '/';
$directory =disable_dangerous_file($_POST['new_dir']);
$directory =replace_accents($_POST['new_dir']);
$directory=Security::remove_XSS($directory);
$dir_name = $cur_dir_path . $added_slash . $directory;
$filter_directoy=Security::remove_XSS($_POST['new_dir']);
$directory =disable_dangerous_file($filter_directoy);
$directory =replace_accents($filter_directoy);
$dir_name = $cur_dir_path . $added_slash . replace_dangerous_char($directory);
$created_dir = create_unexisting_work_directory($base_work_dir, $dir_name);
// we insert here the directory in the table $work_table
@ -704,7 +704,7 @@ if (api_is_allowed_to_edit(false,true)) {
//Display::display_normal_message('We want to move '.$_POST['move_file'].' to '.$_POST['move_to']);
if (move($course_dir . '/' . $path, $base_work_dir . '/' . $move_to)) {
//update db
update_work_url($_POST['move_file'], 'work/' . $move_to);
update_work_url(Security::remove_XSS($_POST['move_file']), 'work/' . $move_to);
//set the current path
$cur_dir_path = $move_to;
$cur_dir_path_url = urlencode($move_to);

Write Preview
Loading…
Cancel
Save