Add api_protect_course_script see #2875 to block pages

main/document/document_quota.php

@@ -8,6 +8,8 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_course_script(true);
+
 if (!api_is_allowed_to_edit(null, true)) {
     api_not_allowed(true);
 }

main/document/remote.php

@@ -16,9 +16,13 @@
  *
  * @return string JSON output
  */
+
+
 /* FIX for IE cache when using https */
 session_cache_limiter('none');
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_course_script(true);
 api_block_anonymous_users();
 /*==== Variables initialisation ====*/
 $action = $_REQUEST['action']; //safe as only used in if()'s

main/document/upload.php

@@ -32,12 +32,12 @@
  *
  * @package chamilo.document
  */
-// Including the global initialization file
-require_once __DIR__.'/../inc/global.inc.php';
 
-// Including additional libraries
+require_once __DIR__.'/../inc/global.inc.php';
 require_once api_get_path(LIBRARY_PATH).'specific_fields_manager.lib.php';
 
+api_protect_course_script(true);
+
 // Adding extra javascript to the form
 $htmlHeadXtra[] = api_get_jquery_libraries_js(['jquery-ui', 'jquery-upload']);
 
@@ -49,7 +49,7 @@ $courseDir = $_course['path'].'/document';
 $sys_course_path = api_get_path(SYS_COURSE_PATH);
 $base_work_dir = $sys_course_path.$courseDir;
 $sessionId = api_get_session_id();
-$selectcat = isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : null;
+$selectcat = isset($_GET['selectcat']) ? (int) $_GET['selectcat'] : null;
 
 $document_data = [];
 
@@ -86,14 +86,10 @@ $group_properties = [];
 
 $htmlHeadXtra[] = '<script>
 function check_unzip() {
-    if (document.upload.unzip.checked){
-        //document.upload.if_exists[0].disabled=true;
-        document.upload.if_exists[1].checked=true;
-        //document.upload.if_exists[2].disabled=true;
+    if (document.upload.unzip.checked) {        
+        document.upload.if_exists[1].checked=true;        
     } else {
         document.upload.if_exists[2].checked=true;
-        //document.upload.if_exists[0].disabled=false;
-        //document.upload.if_exists[2].disabled=false;
     }
 }
 

main/exercise/Hpdownload.php

@@ -12,6 +12,9 @@
 session_cache_limiter('public');
 
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_course_script(true);
+
 $this_section = SECTION_COURSES;
 
 $tbl_document = Database::get_course_table(TABLE_DOCUMENT);

main/exercise/exercise_admin.php

@@ -15,6 +15,8 @@ use ChamiloSession as Session;
 require_once __DIR__.'/../inc/global.inc.php';
 $this_section = SECTION_COURSES;
 
+api_protect_course_script(true);
+
 if (!api_is_allowed_to_edit(null, true)) {
     api_not_allowed(true);
 }

main/exercise/hotspot_savescore.inc.php

@@ -13,6 +13,9 @@ use ChamiloSession as Session;
  * 	@version $Id: admin.php 10680 2007-01-11 21:26:23Z pcool $
  */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_course_script(true);
+
 $courseCode = $_GET['coursecode'];
 $questionId = $_GET['questionId'];
 $coordinates = $_GET['coord'];

main/exercise/hotspot_updatescore.inc.php

@@ -14,6 +14,8 @@ use ChamiloSession as Session;
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_course_script(true);
+
 $courseCode = $_GET['coursecode'];
 $questionId = $_GET['questionId'];
 $coordinates = $_GET['coord'];