Use api_replace_dangerous_char

10 years ago · 2ee21324ef
parent dfb663ae83
commit 2ee21324ef
14 changed files with 57 additions and 55 deletions
--- a/certificates/index.php
+++ b/certificates/index.php
@ -37,7 +37,7 @@ switch ($action) {
            $pageFormat = $pdfParams['orientation'] == 'landscape' ? 'A4-L' : 'A4';

            $userInfo = api_get_user_info($certificate->user_id);
-            $pdfName = replace_dangerous_char(get_lang('Certificate') . ' ' . $userInfo['username']);
+            $pdfName = api_replace_dangerous_char(get_lang('Certificate') . ' ' . $userInfo['username']);

            $pdf = new PDF($pageFormat, $pdfParams['orientation'], $pdfParams);
            $pdf->html_to_pdf($certificatePathList, $pdfName, null, false, false);
--- a/main/admin/configure_homepage.php
+++ b/main/admin/configure_homepage.php
@ -149,7 +149,7 @@ if (api_is_multiple_url_enabled()) {
 	if ($access_url_id != -1) {
 		$url_info = api_get_access_url($access_url_id);
 		$url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
-		$clean_url = replace_dangerous_char($url);
+		$clean_url = api_replace_dangerous_char($url);
 		$clean_url = str_replace('/', '-', $clean_url);
 		$clean_url .= '/';

@ -406,7 +406,7 @@ if (!empty($action)) {
 				} else {
 					// New links are added as new files in the home/ directory
 					if ($action == 'insert_link' || $action == 'insert_tabs' || empty($filename) || strstr($filename, '/') || !strstr($filename, '.html')) {
-						$filename = replace_dangerous_char($link_name, 'strict').'.html';
+						$filename = api_replace_dangerous_char($link_name, 'strict').'.html';
 					}

 					// "home_" prefix for links are renamed to "user_" prefix (to avoid name clash with existing home page files)
--- a/main/admin/configure_inscription.php
+++ b/main/admin/configure_inscription.php
@ -69,7 +69,7 @@ if (api_is_multiple_url_enabled()) {
        $url_info = api_get_access_url($access_url_id);
        $url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));

-        $clean_url = replace_dangerous_char($url);
+        $clean_url = api_replace_dangerous_char($url);
        $clean_url = str_replace('/', '-', $clean_url);
        $clean_url .= '/';

--- a/main/auth/inscription.php
+++ b/main/auth/inscription.php
@ -6,7 +6,7 @@
 *  @package    chamilo.auth
 */

-use \ChamiloSession as Session;
+use ChamiloSession as Session;

 //quick hack to adapt the registration form result to the selected registration language
 if (!empty($_POST['language'])) {
@ -294,7 +294,7 @@ if (!CustomPages::enabled()) {
        if ($access_url_id != -1) {
            $url_info = api_get_access_url($access_url_id);
            $url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
-            $clean_url = replace_dangerous_char($url);
+            $clean_url = api_replace_dangerous_char($url);
            $clean_url = str_replace('/', '-', $clean_url);
            $clean_url .= '/';
            $home_old  = api_get_path(SYS_PATH).'home/';
@ -591,7 +591,7 @@ if ($form->validate()) {
    Session::write('is_allowedCreateCourse', $is_allowedCreateCourse);

    // Stats
-    Event::event_login();
+    Event::event_login($user_id);

    // last user login date is now
    $user_last_login_datetime = 0; // used as a unix timestamp it will correspond to : 1 1 1970
--- a/main/auth/profile.php
+++ b/main/auth/profile.php
@ -328,7 +328,7 @@ function upload_user_production($user_id) {
    if (!file_exists($production_repository)) {
        @mkdir($production_repository, api_get_permissions_for_new_directories(), true);
    }
-    $filename = replace_dangerous_char($_FILES['production']['name']);
+    $filename = api_replace_dangerous_char($_FILES['production']['name']);
    $filename = disable_dangerous_file($filename);

    if (filter_extension($filename)) {
--- a/main/document/create_audio.php
+++ b/main/document/create_audio.php
@ -377,7 +377,7 @@ function downloadMP3_google($filepath, $dir)
 	}

 	$documentPath = $filepath.'/'.$audio_filename;
-
+	/*

 	//prev for a fine unicode, borrowed from main api TODO:clean
 	// Safe replacements for some non-letter characters (whitout blank spaces)
@ -391,19 +391,20 @@ function downloadMP3_google($filepath, $dir)
 	// Transliteration to ASCII letters, they are not dangerous for filesystems.
 	$filename = api_transliterate($filename, 'x', $encoding);
    // Replacing remaining dangerous non-letter characters.
-    $clean_text = str_replace($search, $replace, $filename);
+    $clean_text = str_replace($search, $replace, $filename);*/
+	$clean_text = api_replace_dangerous_char($clean_text);

 	//adding the file
-		//add new file to disk
-		file_put_contents($documentPath, file_get_contents("http://translate.google.com/translate_tts?tl=".$clean_lang."&q=".urlencode($clean_text).""));
-		//add document to database
-		$current_session_id = api_get_session_id();
-		$groupId=$_SESSION['_gid'];
-		$file_size = filesize($documentPath);
-		$relativeUrlPath=$dir;
-		$doc_id = add_document($_course, $relativeUrlPath.$audio_filename, 'file', filesize($documentPath), $audio_title);
-		api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
-        Display::display_confirmation_message(get_lang('DocumentCreated'));
+	//add new file to disk
+	file_put_contents($documentPath, file_get_contents("http://translate.google.com/translate_tts?tl=".$clean_lang."&q=".urlencode($clean_text).""));
+	//add document to database
+	$current_session_id = api_get_session_id();
+	$groupId=$_SESSION['_gid'];
+	$file_size = filesize($documentPath);
+	$relativeUrlPath=$dir;
+	$doc_id = add_document($_course, $relativeUrlPath.$audio_filename, 'file', filesize($documentPath), $audio_title);
+	api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
+	Display::display_confirmation_message(get_lang('DocumentCreated'));
 	//return to location
 	echo '<script>window.location.href="'.$location.'"</script>';
 }
@ -454,7 +455,7 @@ function downloadMP3_pediaphon($filepath, $dir){

 	$documentPath = $filepath.'/'.$audio_filename;

-	//prev for a fine unicode, borrowed from main api TODO:clean
+	/*//prev for a fine unicode, borrowed from main api TODO:clean
 	// Safe replacements for some non-letter characters (whitout blank spaces)
 	$search  = array("\0", "\t", "\n", "\r", "\x0B", '/', "\\", '"', "'", '?', '*', '>', '<', '|', ':', '$', '(', ')', '^', '[', ']', '#', '+', '&', '%');
 	$replace = array('',  '_',  '_',  '_',  '_',    '-', '-',  '-', '_', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-');
@ -466,7 +467,8 @@ function downloadMP3_pediaphon($filepath, $dir){
 	// Transliteration to ASCII letters, they are not dangerous for filesystems.
 	$filename = api_transliterate($filename, 'x', $encoding);
    // Replacing remaining dangerous non-letter characters.
-    $clean_text = str_replace($search, $replace, $filename);
+    $clean_text = str_replace($search, $replace, $filename);*/
+	$clean_text = api_replace_dangerous_char($clean_text);

 	//adding the file

--- a/main/document/create_document.php
+++ b/main/document/create_document.php
@ -253,7 +253,7 @@ $form->addElement('hidden', 'title_edited', 'false', 'id="title_edited"');
 function document_exists($filename) {
    global $dir;
    // Clean up the name, only ASCII characters should stay. (and strict)
-    $cleanName = replace_dangerous_char($filename, 'strict');
+    $cleanName = api_replace_dangerous_char($filename, 'strict');

    // No "dangerous" files
    $cleanName = disable_dangerous_file($cleanName);
@ -409,7 +409,7 @@ if ($form->validate()) {
 	$filename = $values['title'];
 	$filename = addslashes(trim($filename));
 	$filename = Security::remove_XSS($filename);
-	$filename = replace_dangerous_char($filename);
+	$filename = api_replace_dangerous_char($filename);
 	$filename = disable_dangerous_file($filename);
    $filename .= DocumentManager::getDocumentSuffix(
        $_course,
--- a/main/document/document.php
+++ b/main/document/document.php
@ -1254,7 +1254,7 @@ if ($is_allowed_to_edit ||
                $curdirpath = $document_data['path'];
            }
            $added_slash = ($curdirpath == '/') ? '' : '/';
-            $dir_name = $curdirpath.$added_slash.replace_dangerous_char($post_dir_name);
+            $dir_name = $curdirpath.$added_slash.api_replace_dangerous_char($post_dir_name);
            $dir_name = disable_dangerous_file($dir_name);
            $dir_check = $base_work_dir.$dir_name;
            $visibility = empty($groupId) ? null : 1;
--- a/main/document/save_pixlr.php
+++ b/main/document/save_pixlr.php
@ -28,7 +28,7 @@ if(!isset($_GET['title']) || !isset($_GET['type']) || !isset($_GET['image'])) {

 if(!isset($_SESSION['paint_dir']) || !isset($_SESSION['whereami']) ){
 	api_not_allowed();
-	die();	
+	die();
 }

 //pixlr return
@ -68,7 +68,7 @@ $contents = file_get_contents($urlcontents_to_save);//replace line 45.
 //a bit title security
 $filename = addslashes(trim($filename));
 $filename = Security::remove_XSS($filename);
-$filename = replace_dangerous_char($filename, 'strict');
+$filename = api_replace_dangerous_char($filename, 'strict');
 $filename = disable_dangerous_file($filename);

 if (strlen(trim($filename))==0) {
@ -77,7 +77,7 @@ if (strlen(trim($filename))==0) {
 }

 //check file_get_contents
-if ($contents === false) { 
+if ($contents === false) {
 	echo "I cannot read: ".$urlcontents;
    exit;
 }
@ -113,22 +113,22 @@ if(strpos($current_mime, 'image')===false) {
 $paintFileName = $filename.'.'.$extension;
 $title = $title.'.'.$extension;

-if($currentTool=='document/createpaint'){		
-	//check save as and prevent rewrite an older file with same name	
+if($currentTool=='document/createpaint'){
+	//check save as and prevent rewrite an older file with same name
 	if (0 != $groupId){
        $group_properties  = GroupManager :: get_group_properties($groupId);
        $groupPath = $group_properties['directory'];
 	} else {
 		$groupPath ='';
-	}	
-	
-	if (file_exists($saveDir.'/'.$filename.'.'.$extension)){ 
-		$i = 1;		
+	}
+
+	if (file_exists($saveDir.'/'.$filename.'.'.$extension)){
+		$i = 1;
 		while (file_exists($saveDir.'/'.$filename.'_'.$i.'.'.$extension)) $i++;
 		$paintFileName = $filename . '_' . $i . '.'.$extension;
 		$title = $filename . '_' . $i . '.'.$extension;
 	}
-	
+
 	//
 	$documentPath = $saveDir.'/'.$paintFileName;
 	//add new document to disk
@ -138,25 +138,25 @@ if($currentTool=='document/createpaint'){
 	api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);

 }elseif($currentTool=='document/editpaint'){
-	
+
 	$documentPath = $saveDir.'/'.$paintFileName;
 	//add new document to disk
 	file_put_contents( $documentPath, $contents );
-	
+
 	//check path
 	if(!isset($_SESSION['paint_file'])){
 		api_not_allowed();
 		die();
 	}
-	if($_SESSION['paint_file']==$paintFileName){		   
+	if($_SESSION['paint_file']==$paintFileName){
 		$document_id = DocumentManager::get_document_id($_course, $relativeUrlPath.'/'.$paintFileName);
 		update_existing_document($_course, $document_id, filesize($documentPath), null);
-		api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentUpdated', $_user['user_id'], $groupId, null, null, null, $current_session_id);		
+		api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentUpdated', $_user['user_id'], $groupId, null, null, null, $current_session_id);
 	}else{
 		//add a new document
 		$doc_id = add_document($_course, $relativeUrlPath.'/'.$paintFileName, 'file', filesize($documentPath), $title);
 		api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
-	}	
+	}
 }


@ -172,11 +172,11 @@ unset($_SESSION['temp_realpath_image']);

 if (!isset($_SESSION['exit_pixlr'])) {
 	$location=api_get_path(WEB_CODE_PATH).'document/document.php';
-	echo '<script>window.parent.location.href="'.$location.'"</script>';					 
+	echo '<script>window.parent.location.href="'.$location.'"</script>';
 	api_not_allowed(true);
-} else {	
+} else {
 	echo '<div align="center" style="padding-top:150; font-family:Arial, Helvetica, Sans-serif;font-size:25px;color:#aaa;font-weight:bold;">'.get_lang('PleaseStandBy').'</div>';
 	$location=api_get_path(WEB_CODE_PATH).'document/document.php?id='.Security::remove_XSS($_SESSION['exit_pixlr']);
 	echo '<script>window.parent.location.href="'.$location.'"</script>';
 	unset($_SESSION['exit_pixlr']);
-}
+}
--- a/main/dropbox/dropbox_functions.inc.php
+++ b/main/dropbox/dropbox_functions.inc.php
@ -836,7 +836,7 @@ function store_add_dropbox()
    // Try to add an extension to the file if it hasn't got one
    $dropbox_filename = add_ext_on_mime($dropbox_filename, $dropbox_filetype);
    // Replace dangerous characters
-    $dropbox_filename = replace_dangerous_char($dropbox_filename);
+    $dropbox_filename = api_replace_dangerous_char($dropbox_filename);
    // Transform any .php file in .phps fo security
    $dropbox_filename = php2phps($dropbox_filename);

--- a/main/exercice/hotpotatoes.php
+++ b/main/exercice/hotpotatoes.php
@ -100,7 +100,7 @@ if ((api_is_allowed_to_edit(null, true)) && (($finish == 0) || ($finish == 2)))

            if ($finish == 0) {
                // Generate new test folder if on first step of file upload.
-                $filename = replace_dangerous_char(trim($_FILES['userFile']['name']), 'strict');
+                $filename = api_replace_dangerous_char(trim($_FILES['userFile']['name']), 'strict');
                $fld = GenerateHpFolder($document_sys_path.$uploadPath.'/');

                //$doc_id = add_document($_course, '/HotPotatoes_files/'.$fld, 'folder', 0, $fld);
--- a/main/gradebook/lib/fe/exportgradebook.php
+++ b/main/gradebook/lib/fe/exportgradebook.php
@ -205,7 +205,7 @@ function export_pdf_attendance($headers_table, $data_table, $headers_pdf, $foote
 	} else {
 		$mpdf->WriteHTML($html);
 	}
-	$mpdf->Output(replace_dangerous_char($title_pdf.'.pdf'), 'D');
+	$mpdf->Output(api_replace_dangerous_char($title_pdf.'.pdf'), 'D');
 	exit;
 }

--- a/main/inc/lib/course.lib.php
+++ b/main/inc/lib/course.lib.php
@ -5413,20 +5413,20 @@ class CourseManager
     * Generates a course code from a course title
     * @todo Such a function might be useful in other places too. It might be moved in the CourseManager class.
     * @todo the function might be upgraded for avoiding code duplications (currently, it might suggest a code that is already in use)
-     * @param string A course title
-     * @param string The course title encoding (defaults to type defined globally)
+     * @param string $title A course title
     * @return string A proposed course code
+     * +
     * @assert (null,null) === false
     * @assert ('ABC_DEF', null) === 'ABCDEF'
     * @assert ('ABC09*^[%A', null) === 'ABC09A'
     */
-    public static function generate_course_code($course_title, $encoding = null)
+    public static function generate_course_code($title)
    {
-        if (empty($encoding)) {
-            $encoding = api_get_system_encoding();
-        }
-        return substr(preg_replace('/[^A-Z0-9]/', '', strtoupper(api_transliterate($course_title, 'X', $encoding))), 0,
-            CourseManager::MAX_COURSE_LENGTH_CODE);
+        return substr(
+            preg_replace('/[^A-Z0-9]/', '', strtoupper(api_replace_dangerous_char($title))),
+            0,
+            CourseManager::MAX_COURSE_LENGTH_CODE
+        );
    }

    /**
--- a/main/mySpace/user_add.php
+++ b/main/mySpace/user_add.php
@ -231,7 +231,7 @@ if ($form->validate()) {
 			if (!is_dir(api_get_path(SYS_CODE_PATH).'upload/users/')) {
 				mkdir(api_get_path(SYS_CODE_PATH).'upload/users/', api_get_permissions_for_new_directories());
 			}
-			$picture_uri = uniqid('').'_'.replace_dangerous_char($picture['name']);
+			$picture_uri = uniqid('').'_'.api_replace_dangerous_char($picture['name']);
 			$picture_location = api_get_path(SYS_CODE_PATH).'upload/users/'.$picture_uri;
 			move_uploaded_file($picture['tmp_name'], $picture_location);
 		}