Fix course access to files, blocking using api_protect_course_script()

- format code + add "int" casting
7 years ago · 49fd40eedb
parent ca40a3341c
commit 49fd40eedb
36 changed files with 129 additions and 60 deletions
--- a/main/badge/class.php
+++ b/main/badge/class.php
@ -13,14 +13,17 @@ require_once __DIR__.'/../inc/global.inc.php';
 $skillId = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 $objSkill = new Skill();
 $skill = $objSkill->get($skillId);
 $json = [];
-$json = [
+if ($skill) {
    $json = [
        'name' => $skill['name'],
        'description' => $skill['description'],
        'image' => api_get_path(WEB_UPLOAD_PATH)."badges/{$skill['icon']}",
        'criteria' => api_get_path(WEB_CODE_PATH)."badge/criteria.php?id=$skillId",
-    'issuer' => api_get_path(WEB_CODE_PATH)."badge/issuer.php",
+        'issuer' => api_get_path(WEB_CODE_PATH).'badge/issuer.php',
-];
+    ];
 }
 header('Content-Type: application/json');
--- a/main/badge/criteria.php
+++ b/main/badge/criteria.php
@ -10,33 +10,40 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';
-$entityManager = Database::getManager();
+$skillId = isset($_GET['id']) ? $_GET['id'] : 0;
 /** @var \Chamilo\CoreBundle\Entity\Skill $skill */
 $skill = $entityManager->find('ChamiloCoreBundle:Skill', $_GET['id']);
 if (!$skill) {
    Display::addFlash(
        Display::return_message(get_lang('SkillNotFound'), 'error')
    );
-    header('Location: '.api_get_path(WEB_PATH));
+if (empty($skillId)) {
    exit;
 }
-$skillInfo = [
+$entityManager = Database::getManager();
 /** @var \Chamilo\CoreBundle\Entity\Skill $skill */
 $skill = $entityManager->find('ChamiloCoreBundle:Skill', $_GET['id']);
 if ($skill) {
    $skillInfo = [
        'name' => $skill->getName(),
        'short_code' => $skill->getShortCode(),
        'description' => $skill->getDescription(),
        'criteria' => $skill->getCriteria(),
        'badge_image' => Skill::getWebIconPath($skill),
-];
+    ];
-$template = new Template();
+    $template = new Template();
-$template->assign('skill_info', $skillInfo);
+    $template->assign('skill_info', $skillInfo);
-$content = $template->fetch(
+    $content = $template->fetch(
        $template->get_template('skill/criteria.tpl')
    );
    $template->assign('content', $content);
    $template->display_one_col_template();
    exit;
 }
 Display::addFlash(
    Display::return_message(get_lang('SkillNotFound'), 'error')
 );
-$template->assign('content', $content);
+header('Location: '.api_get_path(WEB_PATH));
-$template->display_one_col_template();
+exit;
--- a/main/blog/blog.php
+++ b/main/blog/blog.php
@ -8,7 +8,7 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';
-$blog_id = intval($_GET['blog_id']);
+$blog_id = isset($_GET['blog_id']) ? $_GET['blog_id'] : 0;
 if (empty($blog_id)) {
    api_not_allowed(true);
--- a/main/calendar/download.php
+++ b/main/calendar/download.php
@ -19,11 +19,9 @@ header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
 header('Cache-Control: public');
 header('Pragma: no-cache');
-$course_id = intval($_REQUEST['course_id']);
+$course_id = isset($_REQUEST['course_id']) ? $_REQUEST['course_id'] : 0;
 $user_id = api_get_user_id();
 $course_info = api_get_course_info_by_id($course_id);
 $doc_url = $_REQUEST['file'];
 $session_id = api_get_session_id();
 if (empty($course_id)) {
    $course_id = api_get_course_int_id();
@ -32,6 +30,11 @@ if (empty($course_id) || empty($doc_url)) {
    api_not_allowed();
 }
 $doc_url = $_REQUEST['file'];
 $session_id = api_get_session_id();
 $is_user_is_subscribed = CourseManager::is_user_subscribed_in_course(
    $user_id,
    $course_info['code'],
--- a/main/exercise/adminhp.php
+++ b/main/exercise/adminhp.php
@ -12,6 +12,8 @@ require_once __DIR__.'/../inc/global.inc.php';
 $this_section = SECTION_COURSES;
 api_protect_course_script(true);
 $_course = api_get_course_info();
 if (isset($_REQUEST["cancel"])) {
--- a/main/exercise/aiken.php
+++ b/main/exercise/aiken.php
@ -10,6 +10,9 @@
 * @author César Perales <cesar.perales@gmail.com> Updated function names and import files for Aiken format support
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $lib_path = api_get_path(LIBRARY_PATH);
 $main_path = api_get_path(SYS_CODE_PATH);
--- a/main/exercise/hotpotatoes.php
+++ b/main/exercise/hotpotatoes.php
@ -9,6 +9,9 @@
 * @author Istvan Mandak (original author)
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 require_once 'hotpotatoes.lib.php';
 // Section (for the tabs).
--- a/main/exercise/hotspot_actionscript.as.php
+++ b/main/exercise/hotspot_actionscript.as.php
@ -12,9 +12,12 @@ use ChamiloSession as Session;
 *
 * @version $Id: admin.php 10680 2007-01-11 21:26:23Z pcool $
 */
-session_cache_limiter("none");
+session_cache_limiter('none');
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 require api_get_path(LIBRARY_PATH).'geometry.lib.php';
 // set vars
--- a/main/exercise/hotspot_save.inc.php
+++ b/main/exercise/hotspot_save.inc.php
@ -10,6 +10,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $TBL_ANSWER = Database::get_course_table(TABLE_QUIZ_ANSWER);
 $questionId = intval($_GET['questionId']);
 $answerId = intval($_GET['answerId']);
--- a/main/exercise/qti2.php
+++ b/main/exercise/qti2.php
@ -12,6 +12,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 // section (for the tabs)
 $this_section = SECTION_COURSES;
--- a/main/exercise/question_pool.php
+++ b/main/exercise/question_pool.php
@ -17,6 +17,8 @@ use Knp\Component\Pager\Paginator;
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $this_section = SECTION_COURSES;
 $is_allowedToEdit = api_is_allowed_to_edit(null, true);
--- a/main/exercise/recalculate.php
+++ b/main/exercise/recalculate.php
@ -5,6 +5,8 @@ use Chamilo\CoreBundle\Entity\TrackEExercises;
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $isAllowedToEdit = api_is_allowed_to_edit(true, true);
 if (!$isAllowedToEdit) {
--- a/main/exercise/savescores.php
+++ b/main/exercise/savescores.php
@ -7,6 +7,9 @@
 * @package chamilo.exercise
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $courseInfo = api_get_course_info();
 $_user = api_get_user_info();
--- a/main/exercise/showinframes.php
+++ b/main/exercise/showinframes.php
@ -9,6 +9,9 @@
 * @author Istvan Mandak
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 require_once api_get_path(SYS_CODE_PATH).'exercise/hotpotatoes.lib.php';
 $_course = api_get_course_info();
--- a/main/exercise/tests_category.php
+++ b/main/exercise/tests_category.php
@ -25,9 +25,12 @@ require_once __DIR__.'/../inc/global.inc.php';
 $this_section = SECTION_COURSES;
 api_protect_course_script(true);
 if (!api_is_allowed_to_edit()) {
    api_not_allowed(true);
 }
 $category = new TestCategory();
 $courseId = api_get_course_int_id();
 $sessionId = api_get_session_id();
--- a/main/exercise/upload_exercise.php
+++ b/main/exercise/upload_exercise.php
@ -14,6 +14,8 @@ $help_content = 'exercise_upload';
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $is_allowed_to_edit = api_is_allowed_to_edit(null, true);
 $debug = false;
 $origin = api_get_origin();
--- a/main/glossary/glossary_ajax_request.php
+++ b/main/glossary/glossary_ajax_request.php
@ -9,6 +9,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 /**
 * Search a term and return description from a glossary.
 */
--- a/main/inc/lib/timeline.lib.php
+++ b/main/inc/lib/timeline.lib.php
@ -219,15 +219,16 @@ class Timeline extends Model
    /**
     * @param array $params
     * @param bool $showQuery
     *
     * @return bool
     */
-    public function save($params)
+    public function save($params, $showQuery = false)
    {
        $params['c_id'] = api_get_course_int_id();
        $params['parent_id'] = '0';
        $params['type'] = 'default';
-        $id = parent::save($params);
+        $id = parent::save($params, $showQuery);
        if (!empty($id)) {
            //event_system(LOG_CAREER_CREATE, LOG_CAREER_ID, $id, api_get_utc_datetime(), api_get_user_id());
        }
--- a/main/link/link_goto.php
+++ b/main/link/link_goto.php
@ -19,15 +19,17 @@
 require_once __DIR__.'/../inc/global.inc.php';
 $this_section = SECTION_COURSES;
-$linkId = intval($_GET['link_id']);
+$linkId = isset($_GET['link_id']) ? $_GET['link_id'] : 0;
 $linkInfo = Link::getLinkInfo($linkId);
-$linkUrl = html_entity_decode(Security::remove_XSS($linkInfo['url']));
+if ($linkInfo) {
-// Launch event
+    $linkUrl = html_entity_decode(Security::remove_XSS($linkInfo['url']));
-Event::event_link($linkId);
+    // Launch event
    Event::event_link($linkId);
-header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
+    header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
-header("Cache-Control: post-check=0, pre-check=0", false);
+    header("Cache-Control: post-check=0, pre-check=0", false);
-header("Pragma: no-cache"); // HTTP/1.0
+    header("Pragma: no-cache"); // HTTP/1.0
-header("Location: $linkUrl");
+    header("Location: $linkUrl");
-exit;
+    exit;
 }
--- a/main/lp/embed.php
+++ b/main/lp/embed.php
@ -5,6 +5,8 @@ use ChamiloSession as Session;
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $type = $_REQUEST['type'];
 $src = Security::remove_XSS($_REQUEST['source']);
 if (empty($type) || empty($src)) {
--- a/main/lp/lp_ajax_initialize.php
+++ b/main/lp/lp_ajax_initialize.php
@ -15,6 +15,8 @@
 $use_anonymous = true;
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script();
 /**
 * Get one item's details.
 *
--- a/main/lp/lp_ajax_save_item.php
+++ b/main/lp/lp_ajax_save_item.php
@ -16,6 +16,8 @@ use ChamiloSession as Session;
 $use_anonymous = true;
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script();
 /**
 * Writes an item's new values into the database and returns the operation result.
 *
--- a/main/messages/download.php
+++ b/main/messages/download.php
@ -13,12 +13,17 @@ session_cache_limiter('public');
 require_once __DIR__.'/../inc/global.inc.php';
 $file_url = isset($_GET['file']) ? $_GET['file'] : '';
 if (empty($file_url)) {
    api_not_allowed();
 }
 // IMPORTANT to avoid caching of documents
 header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
 header('Cache-Control: public');
 header('Pragma: no-cache');
 $file_url = $_GET['file'];
 //change the '&' that got rewritten to '///' by mod_rewrite back to '&'
 $file_url = str_replace('///', '&', $file_url);
 //still a space present? it must be a '+' (that got replaced by mod_rewrite)
--- a/main/search/search_suggestions.php
+++ b/main/search/search_suggestions.php
@ -115,9 +115,11 @@ function get_suggestions_from_search_engine($q)
    echo json_encode($json);
 }
-$q = strtolower($_GET["term"]);
+if (isset($_GET['term'])) {
-if (!$q) {
+    $q = strtolower($_GET['term']);
    if (!$q) {
        return;
    }
    get_suggestions_from_search_engine($q);
 }
 //echo $q . "| value\n";
 get_suggestions_from_search_engine($q);
--- a/main/session/add_edit_users_to_session.php
+++ b/main/session/add_edit_users_to_session.php
@ -15,7 +15,10 @@ $xajax->registerFunction('search_users');
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
-$id_session = intval($_GET['id_session']);
+$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 if (empty($id_session)) {
    api_not_allowed(true);
 }
 $addProcess = isset($_GET['add']) ? Security::remove_XSS($_GET['add']) : null;
 SessionManager::protectSession($id_session);
--- a/main/session/add_teachers_to_session.php
+++ b/main/session/add_teachers_to_session.php
@ -24,7 +24,7 @@ $tool_name = get_lang('EnrollTrainersFromExistingSessions');
 $form_sent = 0;
 $errorMsg = '';
-$id = intval($_GET['id']);
+$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 SessionManager::protectSession($id);
--- a/main/session/add_users_to_session.php
+++ b/main/session/add_users_to_session.php
@ -15,7 +15,7 @@ $xajax->registerFunction('search_users');
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
-$id_session = intval($_GET['id_session']);
+$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 $addProcess = isset($_GET['add']) ? Security::remove_XSS($_GET['add']) : null;
 SessionManager::protectSession($id_session);
--- a/main/session/add_users_to_session_course.php
+++ b/main/session/add_users_to_session_course.php
@ -15,7 +15,7 @@ $xajax->registerFunction('search_users');
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
-$id_session = (int) $_GET['id_session'];
+$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 $courseId = isset($_GET['course_id']) ? (int) $_GET['course_id'] : 0;
 if (empty($id_session) || empty($courseId)) {
--- a/main/session/index.php
+++ b/main/session/index.php
@ -13,7 +13,7 @@ use ChamiloSession as Session;
 $cidReset = true;
 require_once __DIR__.'/../inc/global.inc.php';
-$session_id = isset($_GET['session_id']) ? (int) $_GET['session_id'] : null;
+$session_id = isset($_GET['session_id']) ? (int) $_GET['session_id'] : 0;
 if (empty($session_id)) {
    api_not_allowed(true);
--- a/main/session/session_course_edit.php
+++ b/main/session/session_course_edit.php
@ -10,7 +10,7 @@ $cidReset = true;
 require_once __DIR__.'/../inc/global.inc.php';
-$id_session = intval($_GET['id_session']);
+$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 SessionManager::protectSession($id_session);
 $course_code = $_GET['course_code'];
 $course_info = api_get_course_info($_REQUEST['course_code']);
--- a/main/session/session_course_list.php
+++ b/main/session/session_course_list.php
@ -10,7 +10,7 @@ require_once __DIR__.'/../inc/global.inc.php';
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
-$id_session = intval($_GET['id_session']);
+$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 SessionManager::protectSession($id_session);
 // Database Table Definitions
--- a/main/session/session_course_user.php
+++ b/main/session/session_course_user.php
@ -14,12 +14,11 @@ require_once __DIR__.'/../inc/global.inc.php';
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
 $tool_name = get_lang('EditSessionCoursesByUser');
 $id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 SessionManager::protectSession($id_session);
 $id_session = intval($_GET['id_session']);
 $id_user = intval($_GET['id_user']);
 SessionManager::protectSession($id_session);
 $em = Database::getManager();
 /** @var Session $session */
 $session = $em->find('ChamiloCoreBundle:Session', $id_session);
--- a/main/session/session_course_user_list.php
+++ b/main/session/session_course_user_list.php
@ -15,7 +15,7 @@ $tbl_session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
 $tbl_session_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_USER);
 $tbl_session_rel_course_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
-$id_session = intval($_GET['id_session']);
+$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
 SessionManager::protectSession($id_session);
 if (empty($id_session)) {
--- a/main/session/session_export.php
+++ b/main/session/session_export.php
@ -14,6 +14,7 @@ $this_section = SECTION_PLATFORM_ADMIN;
 api_protect_admin_script(true);
 $session_id = isset($_GET['session_id']) ? intval($_GET['session_id']) : 0;
 $formSent = 0;
 $errorMsg = '';
--- a/main/timeline/index.php
+++ b/main/timeline/index.php
@ -20,6 +20,8 @@ $action = isset($_GET['action']) ? $_GET['action'] : null;
 $check = Security::check_token('request');
 $token = Security::get_token();
 $actions = '';
 $message = '';
 switch ($action) {
    case 'add':
@ -149,7 +151,7 @@ switch ($action) {
        break;
 }
-$tpl = new Template($tool_name);
+$tpl = new Template();
 $tpl->assign('actions', $actions);
 $tpl->assign('message', $message);
--- a/main/work/edit_work.php
+++ b/main/work/edit_work.php
@ -2,6 +2,9 @@
 /* For licensing terms, see /license.txt */
 require_once __DIR__.'/../inc/global.inc.php';
 api_protect_course_script(true);
 $lib_path = api_get_path(LIBRARY_PATH);
 /* Libraries */