chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix query error.

Browse Source 
Replace replace_dangerous_char with api_replace_dangerous_char
1.10.x
Julio Montoya 11 years ago
parent 8b5f631ab3
commit dfb663ae83
33 changed files with 90 additions and 157 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 35
      main/inc/lib/api.lib.php
  2. 2
      main/inc/lib/banner.lib.php
  3. 4
      main/inc/lib/document.lib.php
  4. 6
      main/inc/lib/extra_field_option.lib.php
  5. 2
      main/inc/lib/extra_field_value.lib.php
  6. 2
      main/inc/lib/fileManage.lib.php
  7. 10
      main/inc/lib/fileUpload.lib.php
  8. 2
      main/inc/lib/group_portal_manager.lib.php
  9. 2
      main/inc/lib/groupmanager.lib.php
  10. 8
      main/inc/lib/jpegcam/webcam_receiver.php
  11. 4
      main/inc/lib/nanogong/receiver.php
  12. 4
      main/inc/lib/pdf.lib.php
  13. 2
      main/inc/lib/svg-edit/extensions/savefile_config.php
  14. 2
      main/inc/lib/template.lib.php
  15. 2
      main/inc/lib/wami-recorder/record_document.php
  16. 2
      main/install/install.lib.php
  17. 6
      main/newscorm/aicc.class.php
  18. 8
      main/newscorm/learnpath.class.php
  19. 2
      main/newscorm/lp_admin_view.php
  20. 4
      main/newscorm/lp_list.php
  21. 6
      main/newscorm/lp_upload.php
  22. 4
      main/newscorm/openoffice_document.class.php
  23. 6
      main/newscorm/scorm.class.php
  24. 2
      main/tracking/courseLogCSV.php
  25. 2
      main/tracking/userlogCSV.php
  26. 2
      main/upload/upload.document.php
  27. 2
      main/wiki/wiki.inc.php
  28. 2
      main/work/downloadfolder.inc.php
  29. 14
      main/work/work.lib.php
  30. 2
      plugin/buycourses/src/inscription.php
  31. 2
      tests/main/inc/lib/events.lib.inc.test.php
  32. 90
      tests/main/inc/lib/internationalization.lib.test.php
  33. 4
      tests/main/inc/lib/main_api.lib.test.php

35
main/inc/lib/api.lib.php
Unescape View File

@ -1349,6 +1349,7 @@ function _api_format_user($user, $add_password = false)
}
$result['complete_name'] = api_get_person_name($firstname, $lastname);
$result['complete_name_with_username'] = $result['complete_name'];
if (!empty($user['username'])) {
@ -1389,12 +1390,12 @@ function _api_format_user($user, $add_password = false)
}
$user_id = intval($user['user_id']);
$result['user_id'] = $user_id;
$saveUserLastLogin = api_get_configuration_value('save_user_last_login');
if (isset($_configuration['save_user_last_login']) &&
$_configuration['save_user_last_login']
) {
if ($saveUserLastLogin) {
$last_login = $user['last_login'];
} else {
if (!isset($user['lastLogin']) && !isset($user['last_login'])) {
$timestamp = Tracking::get_last_connection_date($result['user_id'], false, true);
// Convert the timestamp back into a datetime
@ -1482,6 +1483,7 @@ function api_get_user_info($user_id = '', $check_if_user_is_online = false, $sho
// @todo trigger an exception here
return false;
}
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_USER)."
WHERE id='".intval($user_id)."'";
$result = Database::query($sql);
@ -1502,6 +1504,7 @@ function api_get_user_info($user_id = '', $check_if_user_is_online = false, $sho
$result_array['user_is_online_in_chat'] = $user_online_in_chat;
}
$user = _api_format_user($result_array, $show_password);
return $user;
}
return false;
@ -1709,6 +1712,11 @@ function api_get_course_info($course_code = null, $strict = false)
if (!empty($course_code)) {
$course_code = Database::escape_string($course_code);
$courseId = api_get_course_int_id($course_code);
if (empty($courseId)) {
return array();
}
$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
$sql = "SELECT course.*, course_category.code faCode, course_category.name faName
@ -1717,17 +1725,20 @@ function api_get_course_info($course_code = null, $strict = false)
ON course.category_code = course_category.code
WHERE course.id = $courseId";
$result = Database::query($sql);
$_course = array();
$courseInfo = array();
if (Database::num_rows($result) > 0) {
$course_data = Database::fetch_array($result);
$_course = api_format_course_array($course_data);
$data = Database::fetch_array($result);
$courseInfo = api_format_course_array($data);
}
return $_course;
return $courseInfo;
}
global $_course;
if ($_course == '-1') {
$_course = array();
}
return $_course;
}
@ -5598,8 +5609,10 @@ function api_is_element_in_the_session($tool, $element_id, $session_id = null) {
* @return string The cleaned filename.
*/
function replace_dangerous_char($filename, $strict = 'loose')
function api_replace_dangerous_char($filename, $strict = 'loose')
{
return URLify::filter($filename, 250);
/*
// Safe replacements for some non-letter characters.
static $search = array(',', "\0", ' ', "\t", "\n", "\r", "\x0B", '/', "\\", '"', "'", '?', '*', '>', '<', '|', ':', '$', '(', ')', '^', '[', ']', '#', '+', '&', '%');
static $replace = array('_', '', '_', '_', '_', '_', '_', '-', '-', '-', '_', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-');
@ -5633,7 +5646,7 @@ function replace_dangerous_char($filename, $strict = 'loose')
$filename = substr($filename, 0, -$extension_len);
return substr($filename, 0, 250 - $extension_len).$extension;
}
return substr($filename, 0, 250);
return substr($filename, 0, 250);*/
}
/**
@ -6531,7 +6544,7 @@ function api_get_home_path() {
$access_url_id = api_get_current_access_url_id();
$url_info = api_get_access_url($access_url_id);
$url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
$clean_url = replace_dangerous_char($url);
$clean_url = api_replace_dangerous_char($url);
$clean_url = str_replace('/', '-', $clean_url);
$clean_url .= '/';
// if $clean_url == "localhost/" means that the multiple URL was not well configured we don't rename the $home variable
@ -7731,7 +7744,7 @@ function api_create_protected_dir($name, $parentDirectory)
return false;
}
$fullPath = $parentDirectory . replace_dangerous_char($name);
$fullPath = $parentDirectory . api_replace_dangerous_char($name);
if (mkdir($fullPath, api_get_permissions_for_new_directories(), true)) {
$fp = fopen($fullPath . '/index.html', 'w');

2
main/inc/lib/banner.lib.php
Unescape View File

@ -388,7 +388,7 @@ function return_menu() {
if ($access_url_id != -1) {
$url_info = api_get_access_url($access_url_id);
$url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
$clean_url = replace_dangerous_char($url);
$clean_url = api_replace_dangerous_char($url);
$clean_url = str_replace('/', '-', $clean_url);
$clean_url .= '/';
$homep = api_get_path(SYS_PATH).'home/'.$clean_url; //homep for Home Path

4
main/inc/lib/document.lib.php
Unescape View File

@ -319,7 +319,7 @@ class DocumentManager
if (!is_file($full_file_name)) {
return false;
}
$filename = ($name == '') ? basename($full_file_name) : replace_dangerous_char($name);
$filename = ($name == '') ? basename($full_file_name) : api_replace_dangerous_char($name);
$len = filesize($full_file_name);
// Fixing error when file name contains a ","
$filename = str_replace(',', '', $filename);
@ -4571,7 +4571,7 @@ class DocumentManager
$title = get_lang('DefaultCertificate');
$comment = null;
$fileName = replace_dangerous_char($title);
$fileName = api_replace_dangerous_char($title);
$filePath = api_get_path(SYS_COURSE_PATH) . "{$courseData['path']}/document{$dir}";
$fileFullPath = "{$filePath}/{$fileName}.html";
$fileSize = 0;

6
main/inc/lib/extra_field_option.lib.php
Unescape View File

@ -131,8 +131,7 @@ class ExtraFieldOption extends Model
$optionInfo = self::get_field_option_by_field_and_option($params['field_id'], $params['option_value']);
// Use URLify only for new items
//$optionValue = URLify::filter($params['option_value']);
$optionValue = replace_dangerous_char($params['option_value']);
$optionValue = api_replace_dangerous_char($params['option_value']);
$option = $params['option_value'];
if ($optionInfo == false) {
@ -144,6 +143,7 @@ class ExtraFieldOption extends Model
'option_order' => $order,
'tms' => api_get_utc_datetime(),
);
return parent::save($new_params, $show_query);
}
@ -244,7 +244,7 @@ class ExtraFieldOption extends Model
foreach ($list as $option) {
$option_info = self::get_field_option_by_field_and_option($field_id, $option);
// Use URLify only for new items
$optionValue = replace_dangerous_char($option);
$optionValue = api_replace_dangerous_char($option);
$option = trim($option);
if ($option_info == false) {

2
main/inc/lib/extra_field_value.lib.php
Unescape View File

@ -216,7 +216,7 @@ class ExtraFieldValue extends Model
break;
}
$cleanedName = replace_dangerous_char($value['name']);
$cleanedName = api_replace_dangerous_char($value['name']);
$fileName = ExtraField::FIELD_TYPE_FILE . "_{$params[$this->handler_id]}_$cleanedName";
if (!file_exists($sysCodePath . $fileDir)) {

2
main/inc/lib/fileManage.lib.php
Unescape View File

@ -163,7 +163,7 @@ function my_rename($file_path, $new_file_name) {
$path = dirname($file_path);
$old_file_name = basename($file_path);
$new_file_name = replace_dangerous_char($new_file_name);
$new_file_name = api_replace_dangerous_char($new_file_name);
// If no extension, take the old one
if ((strpos($new_file_name, '.') === false) && ($dotpos = strrpos($old_file_name, '.'))) {

10
main/inc/lib/fileUpload.lib.php
Unescape View File

@ -260,7 +260,7 @@ function handle_uploaded_document(
return false;
} else {
// Clean up the name, only ASCII characters should stay. (and strict)
$cleanName = replace_dangerous_char($uploadedFile['name'], 'strict');
$cleanName = api_replace_dangerous_char($uploadedFile['name'], 'strict');
// No "dangerous" files
$cleanName = disable_dangerous_file($cleanName);
@ -880,7 +880,7 @@ function treat_uploaded_file($uploaded_file, $base_work_dir, $upload_path, $max_
$file_name = trim($uploaded_file['name']);
// CHECK FOR NO DESIRED CHARACTERS
$file_name = replace_dangerous_char($file_name, 'strict');
$file_name = api_replace_dangerous_char($file_name, 'strict');
// TRY TO ADD AN EXTENSION TO FILES WITOUT EXTENSION
$file_name = add_ext_on_mime($file_name, $uploaded_file['type']);
@ -988,7 +988,7 @@ function unzip_uploaded_file($uploaded_file, $upload_path, $base_work_dir, $max_
$filetype = 'file';
if (is_dir($base_work_dir.$upload_path.'/'.$file)) $filetype = 'folder';
$safe_file = replace_dangerous_char($file, 'strict');
$safe_file = api_replace_dangerous_char($file, 'strict');
@rename($base_work_dir.$upload_path.'/'.$file,$base_work_dir.$upload_path.'/'.$safe_file);
set_default_settings($upload_path, $safe_file,$filetype);
}
@ -1106,7 +1106,7 @@ function clean_up_files_in_zip($p_event, &$p_header)
* @param string $path
* @return $path
* @see disable_dangerous_file()
* @see replace_dangerous_char()
* @see api_replace_dangerous_char()
*/
function clean_up_path(&$path)
{
@ -1116,7 +1116,7 @@ function clean_up_path(&$path)
foreach ($path_array as $key => & $val) {
// We don't want to lose the dots in ././folder/file (cfr. zipfile)
if ($val != '.') {
$val = disable_dangerous_file(replace_dangerous_char($val));
$val = disable_dangerous_file(api_replace_dangerous_char($val));
}
}
// Join the "cleaned" path (modified in-place as passed by reference)

2
main/inc/lib/group_portal_manager.lib.php
Unescape View File

@ -906,7 +906,7 @@ class GroupPortalManager
$filename = in_array($old_extension, $allowed_types) ? substr($old_file, 0, -strlen($old_extension)) : $old_file;
$filename = (substr($filename, -1) == '.') ? $filename.$extension : $filename.'.'.$extension;
} else {
$filename = replace_dangerous_char($filename);
$filename = api_replace_dangerous_char($filename);
if (PREFIX_IMAGE_FILENAME_WITH_UID) {
$filename = uniqid('').'_'.$filename;
}

2
main/inc/lib/groupmanager.lib.php
Unescape View File

@ -199,7 +199,7 @@ class GroupManager
$sql = "UPDATE $table_group SET id = iid WHERE iid = $lastId";
Database::query($sql);
$desired_dir_name= '/'.replace_dangerous_char($name,'strict').'_groupdocs';
$desired_dir_name= '/'.api_replace_dangerous_char($name,'strict').'_groupdocs';
$my_path = api_get_path(SYS_COURSE_PATH) . $currentCourseRepository . '/document';
$newFolderData = create_unexisting_directory(

8
main/inc/lib/jpegcam/webcam_receiver.php
Unescape View File

@ -25,13 +25,13 @@ if ($webcamuserid!= api_get_user_id() || api_get_user_id()==0 || $webcamuserid==
api_not_allowed();
die();
}
//clean
$webcamname = Security::remove_XSS($webcamname);
$webcamname = Database::escape_string($webcamname);
$webcamname = addslashes(trim($webcamname));
$webcamname = replace_dangerous_char($webcamname, 'strict');
$webcamname = api_replace_dangerous_char($webcamname, 'strict');
$webcamname = disable_dangerous_file($webcamname);
$webcamdir = Security::remove_XSS($webcamdir);
@ -54,8 +54,8 @@ $groupId=$_SESSION['_gid'];
$webcamname_to_save=$webcamname;
$title_to_save=str_replace('_',' ',$webcamname);
$webcamname_noex=basename($webcamname, ".jpg");
if (file_exists($saveDir.'/'.$webcamname_noex.'.'.$ext)){
$i = 1;
if (file_exists($saveDir.'/'.$webcamname_noex.'.'.$ext)){
$i = 1;
while (file_exists($saveDir.'/'.$webcamname_noex.'_'.$i.'.'.$ext)) $i++;
$webcamname_to_save = $webcamname_noex . '_' . $i . '.'.$ext;
$title_to_save = $webcamname_noex . '_' . $i . '.'.$ext;

4
main/inc/lib/nanogong/receiver.php
Unescape View File

@ -42,7 +42,7 @@ $_course = api_get_course_info($course_code);
$filename = trim($_GET['filename']);
$filename = Security::remove_XSS($filename);
$filename = Database::escape_string($filename);
$filename = replace_dangerous_char($filename, $strict = 'loose'); // or strict
$filename = api_replace_dangerous_char($filename, $strict = 'loose'); // or strict
$filename = disable_dangerous_file($filename);
$title = trim(str_replace('_chnano_.', '.', $filename)); //hide nanogong wav tag at title
@ -81,4 +81,4 @@ if (!file_exists($documentPath)) {
);
} else {
return get_lang('FileExistRename');
}
}

4
main/inc/lib/pdf.lib.php
Unescape View File

@ -335,7 +335,7 @@ class PDF
if (empty($pdf_name)) {
$output_file = 'pdf_'.date('Y-m-d-his').'.pdf';
} else {
$pdf_name = replace_dangerous_char($pdf_name);
$pdf_name = api_replace_dangerous_char($pdf_name);
$output_file = $pdf_name.'.pdf';
}
// F to save the pdf in a file
@ -443,7 +443,7 @@ class PDF
if (empty($pdf_name)) {
$output_file = 'pdf_'.date('Y-m-d-his').'.pdf';
} else {
$pdf_name = replace_dangerous_char($pdf_name);
$pdf_name = api_replace_dangerous_char($pdf_name);
$output_file = $pdf_name.'.pdf';
}
$this->pdf->Output($output_file, $outputMode); // F to save the pdf in a file

2
main/inc/lib/svg-edit/extensions/savefile_config.php
Unescape View File

@ -68,7 +68,7 @@ $saveDir=$dirBaseDocuments.$_SESSION['draw_dir'];
$filename = addslashes(trim($filename));
$filename = Security::remove_XSS($filename);
$filename = replace_dangerous_char($filename, 'strict');
$filename = api_replace_dangerous_char($filename, 'strict');
$filename = disable_dangerous_file($filename);
// a bit extension

2
main/inc/lib/template.lib.php
Unescape View File

@ -766,7 +766,7 @@ class Template
if ($access_url_id != -1) {
$url_info = api_get_access_url($access_url_id);
$url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
$clean_url = replace_dangerous_char($url);
$clean_url = api_replace_dangerous_char($url);
$clean_url = str_replace('/', '-', $clean_url);
$clean_url .= '/';
$homep = api_get_path(REL_PATH).'home/'.$clean_url; //homep for Home Path

2
main/inc/lib/wami-recorder/record_document.php
Unescape View File

@ -29,7 +29,7 @@ if ($wamiuserid != api_get_user_id() || api_get_user_id() == 0 || $wamiuserid ==
// Clean
$waminame = Security::remove_XSS($waminame);
$waminame = Database::escape_string($waminame);
$waminame = replace_dangerous_char($waminame, 'strict');
$waminame = api_replace_dangerous_char($waminame, 'strict');
$waminame = disable_dangerous_file($waminame);
$wamidir = Security::remove_XSS($wamidir);
$content = file_get_contents('php://input');

2
main/install/install.lib.php
Unescape View File

@ -1397,7 +1397,7 @@ function display_database_settings_form(
//Database Name fix replace weird chars
if ($installType != INSTALL_TYPE_UPDATE) {
$dbNameForm = str_replace(array('-','*', '$', ' ', '.'), '', $dbNameForm);
$dbNameForm = replace_dangerous_char($dbNameForm);
$dbNameForm = api_replace_dangerous_char($dbNameForm);
}
displayDatabaseParameter(

6
main/newscorm/aicc.class.php
Unescape View File

@ -352,7 +352,7 @@ class aicc extends learnpath
if ($this->debug > 0) { error_log('New LP - aicc::import_package() - Zip file path = '.$zip_file_path.', zip file name = '.$zip_file_name, 0); }
$course_rel_dir = api_get_course_path().'/scorm'; // Scorm dir web path starting from /courses
$course_sys_dir = api_get_path(SYS_COURSE_PATH).$course_rel_dir; // The absolute system path of this course.
$current_dir = replace_dangerous_char(trim($current_dir), 'strict'); // Current dir we are in, inside scorm/
$current_dir = api_replace_dangerous_char(trim($current_dir), 'strict'); // Current dir we are in, inside scorm/
if ($this->debug > 0) { error_log('New LP - aicc::import_package() - Current_dir = '.$current_dir, 0); }
//$uploaded_filename = $_FILES['userFile']['name'];
@ -365,7 +365,7 @@ class aicc extends learnpath
$this->zipname = $file_base_name; // Save for later in case we don't have a title.
if ($this->debug > 0) { error_log('New LP - aicc::import_package() - Base file name is : '.$file_base_name, 0); }
$new_dir = replace_dangerous_char(trim($file_base_name),'strict');
$new_dir = api_replace_dangerous_char(trim($file_base_name),'strict');
$this->subdir = $new_dir;
if($this->debug > 0) { error_log('New LP - aicc::import_package() - Subdir is first set to : '.$this->subdir, 0); }
@ -514,7 +514,7 @@ class aicc extends learnpath
if (is_dir($course_sys_dir.$new_dir.$file)) $filetype = 'folder';
// TODO: RENAMING FILES CAN BE VERY DANGEROUS AICC-WISE, avoid that as much as possible!
//$safe_file = replace_dangerous_char($file, 'strict');
//$safe_file = api_replace_dangerous_char($file, 'strict');
$find_str = array('\\', '.php', '.phtml');
$repl_str = array('/', '.txt', '.txt');
$safe_file = str_replace($find_str, $repl_str, $file);

8
main/newscorm/learnpath.class.php
Unescape View File

@ -5943,7 +5943,7 @@ class learnpath
// Creating LP folder
if ($folder) {
//Limits title size
$title = api_substr(replace_dangerous_char($lp_name), 0 , 80);
$title = api_substr(api_replace_dangerous_char($lp_name), 0 , 80);
$dir = $dir.$title;
$filepath = api_get_path(SYS_COURSE_PATH) . $course['path'] . '/document';
if (!is_dir($filepath.'/'.$dir)) {
@ -6009,9 +6009,9 @@ class learnpath
$dir = '/';
}
// stripslashes() before calling replace_dangerous_char() because $_POST['title']
// stripslashes() before calling api_replace_dangerous_char() because $_POST['title']
// is already escaped twice when it gets here.
$title = replace_dangerous_char(stripslashes($_POST['title']));
$title = api_replace_dangerous_char(stripslashes($_POST['title']));
$title = disable_dangerous_file($title);
$filename = $title;
@ -9673,7 +9673,7 @@ EOD;
$res = unlink($file);
if ($res === false) { error_log('Could not delete temp file '.$file.' '.__FILE__.' '.__LINE__, 0); }
}
$name = replace_dangerous_char($this->get_name()).'.zip';
$name = api_replace_dangerous_char($this->get_name()).'.zip';
DocumentManager::file_send_for_download($temp_zip_file, true, $name);
}

2
main/newscorm/lp_admin_view.php
Unescape View File

@ -119,7 +119,7 @@ if (isset($_POST['save_audio'])) {
// Add extension to files without one (if possible).
$file_name = add_ext_on_mime($file_name, $_FILES[$key]['type']);
$clean_name = replace_dangerous_char($file_name);
$clean_name = api_replace_dangerous_char($file_name);
// No "dangerous" files.
$clean_name = disable_dangerous_file($clean_name);

4
main/newscorm/lp_list.php
Unescape View File

@ -9,7 +9,7 @@
* @package chamilo.learnpath
* @author Yannick Warnier <ywarnier@beeznest.org>
*/
use \ChamiloSession as Session;
use ChamiloSession as Session;
$this_section = SECTION_COURSES;
//@todo who turns on $lp_controller_touched?
@ -378,7 +378,7 @@ if (!empty($flat_list)) {
} elseif ($details['lp_type'] == 2) {
$dsp_disk = Display::url(
Display::return_icon('cd.gif', get_lang('Export'), array(), ICON_SIZE_SMALL),
api_get_self()."?".api_get_cidreq()."&action=export&lp_id=$id&export_name=".replace_dangerous_char($name, 'strict').".zip"
api_get_self()."?".api_get_cidreq()."&action=export&lp_id=$id&export_name=".api_replace_dangerous_char($name, 'strict').".zip"
);
} else {
$dsp_disk = Display::return_icon('cd_gray.gif', get_lang('Export'), array(), ICON_SIZE_SMALL);

6
main/newscorm/lp_upload.php
Unescape View File

@ -14,7 +14,7 @@ $course_sys_dir = api_get_path(SYS_COURSE_PATH).$course_dir;
if (empty($_POST['current_dir'])) {
$current_dir = '';
} else {
$current_dir = replace_dangerous_char(trim($_POST['current_dir']), 'strict');
$current_dir = api_replace_dangerous_char(trim($_POST['current_dir']), 'strict');
}
$uncompress = 1;
@ -43,7 +43,7 @@ if (isset($_POST) && $is_error) {
$extension = $info['extension'];
$file_base_name = str_replace('.'.$extension, '', $filename);
$new_dir = replace_dangerous_char(trim($file_base_name), 'strict');
$new_dir = api_replace_dangerous_char(trim($file_base_name), 'strict');
$type = learnpath::get_package_type($_FILES['user_file']['tmp_name'], $_FILES['user_file']['name']);
$proximity = 'local';
@ -116,7 +116,7 @@ if (isset($_POST) && $is_error) {
$filename = $info['basename'];
$extension = $info['extension'];
$file_base_name = str_replace('.'.$extension, '', $filename);
$new_dir = replace_dangerous_char(trim($file_base_name), 'strict');
$new_dir = api_replace_dangerous_char(trim($file_base_name), 'strict');
$result = learnpath::verify_document_size($s);
if ($result == true) {

4
main/newscorm/openoffice_document.class.php
Unescape View File

@ -53,7 +53,7 @@ abstract class OpenofficeDocument extends learnpath
$this->base_work_dir = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
///learning_path/ppt_dirname directory
$this->created_dir = substr($result['dir'], 0, strlen($result['dir']) -1);
$this->file_path = $this->created_dir.'/'.replace_dangerous_char($file['name'], 'strict');
$this->file_path = $this->created_dir.'/'.api_replace_dangerous_char($file['name'], 'strict');
//var_dump($this->file_name, $this->file_path, $this->base_work_dir, $this->created_dir);
@ -62,7 +62,7 @@ abstract class OpenofficeDocument extends learnpath
global $_course, $_user, $_configuration;
$this->file_name = (strrpos($file['name'], '.') > 0 ? substr($file['name'], 0, strrpos($file['name'], '.')) : $file['name']);
$this->file_name = replace_dangerous_char($this->file_name, 'strict');
$this->file_name = api_replace_dangerous_char($this->file_name, 'strict');
$this->file_name = strtolower($this->file_name);
$visio_dir = ($action_after_conversion == 'add_docs_to_visio') ? VIDEOCONF_UPLOAD_PATH : '';

6
main/newscorm/scorm.class.php
Unescape View File

@ -520,7 +520,7 @@ class scorm extends learnpath
}
$course_rel_dir = api_get_course_path().'/scorm'; // scorm dir web path starting from /courses
$course_sys_dir = api_get_path(SYS_COURSE_PATH).$course_rel_dir; // Absolute system path for this course.
$current_dir = replace_dangerous_char(trim($current_dir),'strict'); // Current dir we are in, inside scorm/
$current_dir = api_replace_dangerous_char(trim($current_dir),'strict'); // Current dir we are in, inside scorm/
if ($this->debug > 1) {
error_log( 'New LP - import_package() - current_dir = ' . $current_dir, 0);
@ -535,7 +535,7 @@ class scorm extends learnpath
$this->zipname = $file_base_name; // Save for later in case we don't have a title.
if ($this->debug > 1) { error_log("New LP - base file name is : ".$file_base_name, 0); }
$new_dir = replace_dangerous_char(trim($file_base_name),'strict');
$new_dir = api_replace_dangerous_char(trim($file_base_name),'strict');
$this->subdir = $new_dir;
if ($this->debug > 1) { error_log("New LP - subdir is first set to : ".$this->subdir, 0); }
@ -649,7 +649,7 @@ class scorm extends learnpath
}
// TODO: RENAMING FILES CAN BE VERY DANGEROUS SCORM-WISE, avoid that as much as possible!
//$safe_file = replace_dangerous_char($file, 'strict');
//$safe_file = api_replace_dangerous_char($file, 'strict');
$find_str = array('\\', '.php', '.phtml');
$repl_str = array('/', '.txt', '.txt');
$safe_file = str_replace($find_str, $repl_str, $file);

2
main/tracking/courseLogCSV.php
Unescape View File

@ -397,7 +397,7 @@ if ($is_allowedToTrack) {
//header('Content-Type: application/force-download');
header('Content-length: ' . $len);
$filename = api_html_entity_decode(str_replace(":", "", str_replace(" ", "_", $title[0] . '_' . $title[1] . '.csv')));
$filename = replace_dangerous_char($filename);
$filename = api_replace_dangerous_char($filename);
if (preg_match("/MSIE 5.5/", $_SERVER['HTTP_USER_AGENT'])) {
header('Content-Disposition: filename= ' . $filename);
} else {

2
main/tracking/userlogCSV.php
Unescape View File

@ -321,7 +321,7 @@ if (($is_allowedToTrack || $is_allowedToTrackEverybodyInCourse)) {
str_replace(" ", "_", $title[0] . '_' . $title[1] . '.csv')
)
);
$filename = replace_dangerous_char($filename);
$filename = api_replace_dangerous_char($filename);
if (preg_match("/MSIE 5.5/", $_SERVER['HTTP_USER_AGENT'])) {
header('Content-Disposition: filename= ' . $filename);
} else {

2
main/upload/upload.document.php
Unescape View File

@ -128,7 +128,7 @@ if (isset($_POST['submit_image'])) {
//they want to create a directory
if (isset($_POST['create_dir']) && $_POST['dirname']!='') {
$added_slash = ($path=='/')?'':'/';
$dir_name = $path.$added_slash.replace_dangerous_char($_POST['dirname']);
$dir_name = $path.$added_slash.api_replace_dangerous_char($_POST['dirname']);
$created_dir = create_unexisting_directory($_course,$_user['user_id'],api_get_session_id(), $to_group_id,$to_user_id,$base_work_dir,$dir_name,$_POST['dirname']);
if ($created_dir) {
Display::display_normal_message(get_lang('DirCr'));

2
main/wiki/wiki.inc.php
Unescape View File

@ -1747,7 +1747,7 @@ class Wiki
}
$exportDir = api_get_path(SYS_COURSE_PATH).api_get_course_path(). '/document'.$groupPath;
$exportFile = replace_dangerous_char($wikiTitle, 'strict') . $groupPart;
$exportFile = api_replace_dangerous_char($wikiTitle, 'strict') . $groupPart;
//$clean_wikiContents = trim(preg_replace("/\[\[|\]\]/", " ", $wikiContents));
//$array_clean_wikiContents= explode('|', $clean_wikiContents);

2
main/work/downloadfolder.inc.php
Unescape View File

@ -178,7 +178,7 @@ while ($not_deleted_file = Database::fetch_assoc($query)) {
}
if (!empty($files)) {
$fileName = replace_dangerous_char($work_data['title']);
$fileName = api_replace_dangerous_char($work_data['title']);
// Logging
Event::event_download($fileName .'.zip (folder)');

14
main/work/work.lib.php
Unescape View File

@ -1255,7 +1255,7 @@ function updateDirName($work_data, $newPath)
$path = $work_data['url'];
$originalNewPath = Database::escape_string($newPath);
$newPath = Database::escape_string($newPath);
$newPath = replace_dangerous_char($newPath);
$newPath = api_replace_dangerous_char($newPath);
$newPath = disable_dangerous_file($newPath);
if ($oldPath == '/'.$newPath) {
@ -3558,7 +3558,7 @@ function addWorkComment($courseInfo, $userId, $parentWork, $work, $data)
if (!empty($workParent)) {
$uploadDir = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work'.$workParent['url'];
$newFileName = 'comment_'.$commentId.'_'.php2phps(
replace_dangerous_char($fileData['name'], 'strict')
api_replace_dangerous_char($fileData['name'], 'strict')
);
$newFilePath = $uploadDir.'/'.$newFileName;
$result = move_uploaded_file($fileData['tmp_name'], $newFilePath);
@ -3706,7 +3706,7 @@ function uploadWork($my_folder_data, $_course)
$filename = add_ext_on_mime(stripslashes($_FILES['file']['name']), $_FILES['file']['type']);
// Replace dangerous characters
$filename = replace_dangerous_char($filename, 'strict');
$filename = api_replace_dangerous_char($filename, 'strict');
// Transform any .php file in .phps fo security
$filename = php2phps($filename);
@ -3980,7 +3980,7 @@ function addDir($params, $user_id, $courseInfo, $group_id, $session_id)
$base_work_dir = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work';
$course_id = $courseInfo['real_id'];
$directory = replace_dangerous_char($params['new_dir']);
$directory = api_replace_dangerous_char($params['new_dir']);
$directory = disable_dangerous_file($directory);
$created_dir = create_unexisting_work_directory($base_work_dir, $directory);
@ -4924,7 +4924,7 @@ function exportAllWork($userId, $courseInfo, $format = 'pdf')
$pdf->content_to_pdf(
$content,
null,
replace_dangerous_char($userInfo['complete_name']),
api_replace_dangerous_char($userInfo['complete_name']),
$courseInfo['code']
);
}
@ -5059,7 +5059,7 @@ function exportAllStudentWorkFromPublication(
if (!empty($content)) {
$params = array(
'filename' => $workData['title'] . '_' . api_get_local_time(),
'pdf_title' => replace_dangerous_char($workData['title']),
'pdf_title' => api_replace_dangerous_char($workData['title']),
'course_code' => $courseInfo['code'],
'add_signatures' => false
);
@ -5126,7 +5126,7 @@ function downloadAllFilesPerUser($userId, $courseInfo)
}
// Start download of created file
$name = basename(replace_dangerous_char($userInfo['complete_name'])).'.zip';
$name = basename(api_replace_dangerous_char($userInfo['complete_name'])).'.zip';
Event::event_download($name.'.zip (folder)');
if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
DocumentManager::file_send_for_download($tempZipFile, true, $name);

2
plugin/buycourses/src/inscription.php
Unescape View File

@ -176,7 +176,7 @@ if (api_is_multiple_url_enabled()) {
if ($access_url_id != -1) {
$url_info = api_get_access_url($access_url_id);
$url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
$clean_url = replace_dangerous_char($url);
$clean_url = api_replace_dangerous_char($url);
$clean_url = str_replace('/', '-', $clean_url);
$clean_url .= '/';
$home_old = api_get_path(SYS_PATH) . 'home/';

2
tests/main/inc/lib/events.lib.inc.test.php
Unescape View File

@ -74,7 +74,7 @@ class TestEvents extends UnitTestCase {
global $_configuration;
global $_user;
global $TABLETRACK_LOGIN;
$res=Event::event_login();
$res=Event::event_login(1);
$this->assertNull($res);
//var_dump($res);
}

90
tests/main/inc/lib/internationalization.lib.test.php
Unescape View File

@ -198,22 +198,6 @@ class TestInternationalization extends UnitTestCase {
//var_dump($res);
}
public function test_api_file_system_encode() {
$string = 'áéíóú@/\!?Ç´`+*?-_'; // UTF-8
$from_encoding = 'UTF-8';
$res = api_file_system_encode($string, $from_encoding);
$this->assertTrue(is_string($res));
//var_dump($res);
}
public function test_api_file_system_decode() {
$string='áéíóú@/\!?Ç´`+*?-_'; // UTF-8
$to_encoding = 'UTF-8';
$res = api_file_system_decode($string, $to_encoding);
$this->assertTrue(is_string($res));
//var_dump($res);
}
public function test_api_transliterate() {
$string = 'Фёдор Михайлович Достоевкий'; // UTF-8
/*
@ -489,16 +473,6 @@ class TestInternationalization extends UnitTestCase {
//var_dump($res);
}
public function test_api_preg_replace_callback() {
$pattern = '/иван/i'; // UTF-8
$subject = '-- Ivan (en) -- Иван (bg) -- иван --'; // UTF-8
$limit = -1;
$count = null;
$encoding = 'UTF-8';
$res = api_preg_replace_callback($pattern, create_function('$matches', 'return api_ucfirst($matches[0], \'UTF-8\');'), $subject, $limit, $count, $encoding);
$this->assertTrue($res == '-- Ivan (en) -- Иван (bg) -- Иван --'); // UTF-8
//var_dump($res);
}
public function test_api_preg_split() {
$pattern = '/иван/i'; // UTF-8
@ -560,22 +534,11 @@ class TestInternationalization extends UnitTestCase {
//var_dump($res);
}
public function test_api_split() {
$pattern = '[/.-]';
$string = '08/22/2009';
$limit = null;
$res = api_split($pattern, $string, $limit);
$this->assertTrue(is_array($res));
$this->assertTrue(count($res) == 3);
//var_dump($res);
}
/**
* ----------------------------------------------------------------------------
* String comparison
* ----------------------------------------------------------------------------
*/
/**
* ----------------------------------------------------------------------------
* String comparison
* ----------------------------------------------------------------------------
*/
public function test_api_strcasecmp() {
$string1 = 'áéíóu'; // UTF-8
@ -764,18 +727,6 @@ class TestInternationalization extends UnitTestCase {
//var_dump($res);
}
public function test_api_knatcasersort() {
$array = array('img2.png' => 'aíó', 'img10.png' => 'úéo', 'IMG12.PNG' => 'áed', 'IMG1.PNG' => 'áedc'); // UTF-8
$language = 'english';
$encoding = 'UTF-8';
$res = api_knatcasersort($array, $language, $encoding);
$keys = array_keys($array);
$this->assertTrue(is_bool($res));
$this->assertTrue($array[$keys[0]] == 'áed');
//var_dump($array);
//var_dump($res);
}
public function test_api_sort() {
$array = array('úéo', 'aíó', 'áed', 'áedc'); // UTF-8
$sort_flag = SORT_REGULAR;
@ -1285,37 +1236,6 @@ class TestInternationalization extends UnitTestCase {
//var_dump($res);
}
public function test_api_is_latin1_compatible() {
$language = 'portuguese';
$res = api_is_latin1_compatible($language);
$this->assertTrue(is_bool($res));
$this->assertTrue($res);
//var_dump($res);
}
/*
// This test works. It has been disabled, because it is time-consuming.
public function test_api_detect_language() {
$encoding = 'UTF-8';
$strings = $this->language_strings;
$is_test_ok = true;
foreach ($strings as $language => $string) {
if (api_is_language_supported($language)) {
$res = api_detect_language($string, $encoding);
$non_utf8_encoding = api_get_non_utf8_encoding($res);
if (!empty($non_utf8_encoding)) {
$is_ok = ($res == $language) || (api_is_encoding_supported($non_utf8_encoding) ? $string == api_utf8_encode(api_utf8_decode($string, $non_utf8_encoding), $non_utf8_encoding) : true);
} else {
$is_ok = true;
}
$is_test_ok = $is_test_ok && $is_ok;
echo ($is_ok ? '<span style="color: green; font-weight: bold;">Ok</span>' : '<span style="color: red; font-weight: bold;">Failed</span>').' '.$language.': '.$string.' => <strong>'.$res.'</strong><br />';
}
}
echo '<br />';
$this->assertTrue($is_test_ok);
}
*/
/*
// This test works. It has been disabled, because it is time-consuming.

4
tests/main/inc/lib/main_api.lib.test.php
Unescape View File

@ -1,6 +1,6 @@
<?php
use \ChamiloSession as Session;
use ChamiloSession as Session;
require_once(api_get_path(LIBRARY_PATH).'course.lib.php');
@ -700,7 +700,7 @@ class TestMainApi extends UnitTestCase {
$filename =ereg_replace("\.+$", "", substr(strtr(ereg_replace(
"[^!-~\x80-\xFF]", "_", trim($filename)), '\/:*?"<>|\'',
/*Keep C1 controls for UTF-8 streams **/ '-----_---_'), 0, 250));
$res = replace_dangerous_char($filename, $strict = 'loose');
$res = api_replace_dangerous_char($filename, $strict = 'loose');
$this->assertEqual($res,$filename, $message = 'no se pudo');
}

Write Preview
Loading…
Cancel
Save