diff --git a/main/work/work.lib.php b/main/work/work.lib.php index 3bca3575c8..e35282d997 100644 --- a/main/work/work.lib.php +++ b/main/work/work.lib.php @@ -1,4 +1,4 @@ -, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default. * @author Roan Embrechts, code refactoring and virtual course support * @author Frederic Vauthier, directories management -* @version $Id: work.lib.php 18437 2009-02-11 16:34:36Z cfasanando $ +* @version $Id: work.lib.php 18439 2009-02-11 17:24:28Z cvargas1 $ */ /** * Displays action links (for admins, authorized groups members and authorized students) @@ -505,7 +505,9 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou $values = $form_folder -> exportValues(); $values = $values['my_group']; - $dir_name = replace_accents($values['dir_name']); + $dir_name = disable_dangerous_file($values['dir_name']); + $dir_name = replace_accents($values['dir_name']); + $dir_name = replace_dangerous_char($values['dir_name']); update_dir_name($mydir,$dir_name); $mydir = $my_sub_dir.$dir_name; $dir = $dir_name; @@ -731,6 +733,8 @@ function get_subdirs_list($basedir='',$recurse=0){ $dh = opendir($basedir); while($entry = readdir($dh)) { $entry = replace_accents($entry); + $entry = disable_dangerous_file($entry); + $entry = replace_dangerous_char($entry); if(is_dir($basedir.$entry) && $entry!='..' && $entry!='.') { $dirs_list[] = $entry; if($recurse==1) { @@ -987,7 +991,10 @@ function update_dir_name($path, $new_name) $path_to_dir .= '/'; } + $new_name=replace_accents($new_name); + $new_name=disable_dangerous_file($new_name); + $new_name=replace_dangerous_char($new_name); my_rename($base_work_dir.'/'.$path,$new_name); $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION); diff --git a/main/work/work.php b/main/work/work.php index 5c802b782d..33247a6b27 100644 --- a/main/work/work.php +++ b/main/work/work.php @@ -1,4 +1,4 @@ -, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default. * @author Roan Embrechts, code refactoring and virtual course support * @author Frederic Vauthier, directories management -* @version $Id: work.php 18437 2009-02-11 16:34:36Z cfasanando $ +* @version $Id: work.php 18439 2009-02-11 17:24:28Z cvargas1 $ * * @todo refactor more code into functions, use quickforms, coding standards, ... */ @@ -213,7 +213,6 @@ if (!empty($_POST['submitWork']) || !empty($submitGroupWorkUrl)) { include_once (api_get_path(INCLUDE_PATH) . "lib/fileUpload.lib.php"); include_once (api_get_path(INCLUDE_PATH) . "lib/fileDisplay.lib.php"); // need format_url function } - // If the POST's size exceeds 8M (default value in php.ini) the $_POST array is emptied // If that case happens, we set $submitWork to 1 to allow displaying of the error message // The redirection with header() is needed to avoid apache to show an error page on the next request @@ -492,6 +491,7 @@ if (api_is_allowed_to_edit(false,true)) { include_once (api_get_path(LIBRARY_PATH) . "fileUpload.lib.php"); $added_slash = (substr($cur_dir_path, -1, 1) == '/') ? '' : '/'; + $directory =disable_dangerous_file($_POST['new_dir']); $directory =replace_accents($_POST['new_dir']); $dir_name = $cur_dir_path . $added_slash . replace_dangerous_char($directory); $created_dir = create_unexisting_work_directory($base_work_dir, $dir_name);