chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r21106] logic changes - improvements security in document tool - (partial FS#3909)

Browse Source
skala
Isaac Flores 16 years ago
parent 0e4227493e
commit e52e052704
11 changed files with 102 additions and 106 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      main/document/create_document.php
  2. 10
      main/document/document.inc.php
  3. 56
      main/document/document.php
  4. 6
      main/document/document_slideshow.inc.php
  5. 10
      main/document/download.php
  6. 29
      main/document/edit_document.php
  7. 2
      main/document/footerpage.php
  8. 45
      main/document/headerpage.php
  9. 8
      main/document/quota.php
  10. 8
      main/document/showinframes.php
  11. 20
      main/document/upload.php

14
main/document/create_document.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: create_document.php 20794 2009-05-18 18:00:36Z iflorespaz $
<?php // $Id: create_document.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
@ -186,11 +186,11 @@ function InnerDialogLoaded()
</script>';
include (api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
include (api_get_path(LIBRARY_PATH).'document.lib.php');
include (api_get_path(LIBRARY_PATH).'groupmanager.lib.php');
include (api_get_path(LIBRARY_PATH).'events.lib.inc.php');
include (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH).'document.lib.php';
require_once api_get_path(LIBRARY_PATH).'groupmanager.lib.php';
require_once api_get_path(LIBRARY_PATH).'events.lib.inc.php';
require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
$nameTools = get_lang('CreateDocument');
$fck_attribute['Width'] = '100%';
@ -210,7 +210,7 @@ if(!api_is_allowed_to_edit()) {
Constants and variables
-----------------------------------------------------------
*/
$dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir']; // please do not modify this dirname formatting
$dir = isset($_GET['dir']) ? Security::remove_XSS($_GET['dir']) : Security::remove_XSS($_POST['dir']); // please do not modify this dirname formatting
/*
==============================================================================
MAIN CODE

10
main/document/document.inc.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: document.inc.php 20798 2009-05-18 18:13:25Z cvargas1 $
<?php // $Id: document.inc.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
@ -310,19 +310,19 @@ function build_edit_icons($curdirpath,$type,$path,$visibility,$id,$is_template,$
$sort_params = array();
if( isset($_GET['column']))
{
$sort_params[] = 'column='.$_GET['column'];
$sort_params[] = 'column='.Security::remove_XSS($_GET['column']);
}
if( isset($_GET['page_nr']))
{
$sort_params[] = 'page_nr='.$_GET['page_nr'];
$sort_params[] = 'page_nr='.Security::remove_XSS($_GET['page_nr']);
}
if( isset($_GET['per_page']))
{
$sort_params[] = 'per_page='.$_GET['per_page'];
$sort_params[] = 'per_page='.Security::remove_XSS($_GET['per_page']);
}
if( isset($_GET['direction']))
{
$sort_params[] = 'direction='.$_GET['direction'];
$sort_params[] = 'direction='.Security::remove_XSS($_GET['direction']);
}
$sort_params = implode('&amp;',$sort_params);
$visibility_icon = ($visibility==0)?'invisible':'visible';

56
main/document/document.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: document.php 20789 2009-05-18 16:54:06Z cfasanando $
<?php // $Id: document.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -66,19 +66,19 @@
$language_file[] = 'document';
$language_file[] = 'slideshow';
require("../inc/global.inc.php");
require_once "../inc/global.inc.php";
$this_section=SECTION_COURSES;
require('document.inc.php');
require_once 'document.inc.php';
require('../inc/lib/usermanager.lib.php');
require_once '../inc/lib/usermanager.lib.php';
api_protect_course_script(true);
//session
if(isset($_GET['id_session']))
$_SESSION['id_session'] = $_GET['id_session'];
$_SESSION['id_session'] = Security::remove_XSS($_GET['id_session']);
// Is the document tool visible?
// Check whether the tool is actually visible
@ -112,16 +112,11 @@ function confirmation (name)
//what's the current path?
//we will verify this a bit further down
if(isset($_GET['curdirpath']) && $_GET['curdirpath']!='')
{
$curdirpath = $_GET['curdirpath'];
}
elseif (isset($_POST['curdirpath']) && $_POST['curdirpath']!='')
{
$curdirpath = $_POST['curdirpath'];
}
else
{
if(isset($_GET['curdirpath']) && $_GET['curdirpath']!='') {
$curdirpath = Security::remove_XSS($_GET['curdirpath']);
} elseif (isset($_POST['curdirpath']) && $_POST['curdirpath']!='') {
$curdirpath = Security::remove_XSS($_POST['curdirpath']);
} else {
$curdirpath = '/';
}
$curdirpathurl = urlencode($curdirpath);
@ -194,11 +189,11 @@ else
//the main_api.lib.php, database.lib.php and display.lib.php
//libraries are included by default
include_once(api_get_path(LIBRARY_PATH) . 'fileDisplay.lib.php');
include_once(api_get_path(LIBRARY_PATH) . 'events.lib.inc.php');
include_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
include_once(api_get_path(LIBRARY_PATH) . 'tablesort.lib.php');
include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
require_once api_get_path(LIBRARY_PATH) . 'fileDisplay.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'events.lib.inc.php';
require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'tablesort.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
//-----------------------------------------------------------
@ -239,8 +234,9 @@ $course_quota = DocumentManager::get_course_quota();
//-------------------------------------------------------------------//
if (isset($_GET['action']) && $_GET['action']=="download")
{
$my_get_id=Security::remove_XSS($_GET['id']);
//check if the document is in the database
if(!DocumentManager::get_document_id($_course,$_GET['id']))
if(!DocumentManager::get_document_id($_course,$my_get_id))
{
//file not found!
header('HTTP/1.0 404 Not Found');
@ -256,15 +252,15 @@ if (isset($_GET['action']) && $_GET['action']=="download")
exit;
}
// launch event
event_download($_GET['id']);
event_download($my_get_id);
// check visibility of document and paths
if (!($is_allowed_to_edit || $group_member_with_upload_rights) &&
!DocumentManager::is_visible($_GET['id'], $_course)){
!DocumentManager::is_visible($my_get_id, $_course)){
api_not_allowed();
}
$doc_url=$_GET['id'];
$doc_url=$my_get_id;
$full_file_name = $base_work_dir.$doc_url;
DocumentManager::file_send_for_download($full_file_name,true);
exit;
@ -368,22 +364,22 @@ if($is_allowed_to_edit || $group_member_with_upload_rights) // TEACHER ONLY
/*======================================
MOVE FILE OR DIRECTORY
======================================*/
$my_get_move=Security::remove_XSS($_GET['move']);
if (isset($_GET['move']) && $_GET['move']!='')
{
{
if (!$is_allowed_to_edit)
{
if(DocumentManager::check_readonly($_course,$_user['user_id'],$_GET['move']))
if(DocumentManager::check_readonly($_course,$_user['user_id'],$my_get_move))
{
api_not_allowed();
}
}
if(DocumentManager::get_document_id($_course,$_GET['move']))
if(DocumentManager::get_document_id($_course,$my_get_move))
{
$folders = DocumentManager::get_all_document_folders($_course,$to_group_id,$is_allowed_to_edit || $group_member_with_upload_rights);
echo '<div class="row"><div class="form_header">'.get_lang('Move').'</div></div>';
echo build_move_to_selector($folders,$_GET['curdirpath'],$_GET['move'],$group_properties['directory']);
echo build_move_to_selector($folders,Security::remove_XSS($_GET['curdirpath']),$my_get_move,$group_properties['directory']);
}
@ -393,7 +389,7 @@ if($is_allowed_to_edit || $group_member_with_upload_rights) // TEACHER ONLY
{
if (!$is_allowed_to_edit)
{
if(DocumentManager::check_readonly($_course,$_user['user_id'],$_GET['move']))
if(DocumentManager::check_readonly($_course,$_user['user_id'],$my_get_move))
{
api_not_allowed();
}

6
main/document/document_slideshow.inc.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: document_slideshow.inc.php 16755 2008-11-15 19:50:44Z yannoo $
<?php // $Id: document_slideshow.inc.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -89,14 +89,14 @@ if ( count($all_files) > 0 )
}
}
$tablename_column = (isset($_GET['tablename_column'])?$_GET['tablename_column']:0);
$tablename_column = (isset($_GET['tablename_column'])? Security::remove_XSS($_GET['tablename_column']):0);
if($tablename_column==0){
$tablename_column=1;
}
else{
$tablename_column= intval($tablename_column)-1;
}
$tablename_direction = (isset($_GET['tablename_direction'])?$_GET['tablename_direction']:'ASC');
$tablename_direction = (isset($_GET['tablename_direction'])? Security::remove_XSS($_GET['tablename_direction']):'ASC');
$image_files_only = sort_files($array_to_search);
$_SESSION["image_files_only"] = $image_files_only;

10
main/document/download.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: download.php 20388 2009-05-07 12:38:12Z spyroux $
<?php // $Id: download.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -50,10 +50,10 @@
session_cache_limiter('none');
include('../inc/global.inc.php');
require_once '../inc/global.inc.php';
$this_section=SECTION_COURSES;
include(api_get_path(LIBRARY_PATH).'document.lib.php');
require_once api_get_path(LIBRARY_PATH).'document.lib.php';
$doc_url = $_GET['doc_url'];
//change the '&' that got rewritten to '///' by mod_rewrite back to '&'
@ -95,9 +95,9 @@ if (substr($refer_script,0,15) == "/fillsurvey.php") {
//mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (Ren<EFBFBD>)
while ($doc_url{$dul = strlen($doc_url)-1}=='/') $doc_url = substr($doc_url,0,$dul);
//group folder?
$gid_req = ($_GET['gidReq'])?'&gidReq='.$_GET['gidReq']:'';
$gid_req = ($_GET['gidReq'])?'&gidReq='.Security::remove_XSS($_GET['gidReq']):'';
//create the path
$document_explorer = api_get_path(WEB_CODE_PATH).'document/document.php?curdirpath='.urlencode($doc_url).'&cidReq='.$_GET['cidReq'].$gid_req;
$document_explorer = api_get_path(WEB_CODE_PATH).'document/document.php?curdirpath='.urlencode($doc_url).'&cidReq='.Security::remove_XSS($_GET['cidReq']).$gid_req;
//redirect
header('Location: '.$document_explorer);
}

29
main/document/edit_document.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: edit_document.php 20794 2009-05-18 18:00:36Z iflorespaz $
<?php // $Id: edit_document.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -57,7 +57,7 @@ $language_file = 'document';
Included libraries
------------------------------------------------------------------------------
*/
include('../inc/global.inc.php');
require_once '../inc/global.inc.php';
// Template's javascript
$htmlHeadXtra[] = '
@ -110,13 +110,13 @@ function FCKeditor_OnComplete( editorInstance )
$_SESSION['whereami'] = 'document/create';
$this_section=SECTION_COURSES;
include(api_get_path(LIBRARY_PATH).'fileManage.lib.php');
include(api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
include(api_get_path(LIBRARY_PATH).'events.lib.inc.php');
include(api_get_path(LIBRARY_PATH).'document.lib.php');
require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php';
require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH).'events.lib.inc.php';
require_once api_get_path(LIBRARY_PATH).'document.lib.php';
include_once(api_get_path(LIBRARY_PATH) . 'groupmanager.lib.php');
require_once(api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
require_once api_get_path(LIBRARY_PATH) . 'groupmanager.lib.php';
require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
$fck_attribute['Width'] = '100%';
$fck_attribute['Height'] = '600';
@ -149,7 +149,7 @@ $file = $_GET['file'];
//echo('file: '.$file.'<br>');
$doc=basename($file);
//echo('doc: '.$doc.'<br>');
$dir=$_GET['curdirpath'];
$dir=Security::remove_XSS($_GET['curdirpath']);
//echo('dir: '.$dir.'<br>');
$file_name = $doc;
//echo('file_name: '.$file_name.'<br>');
@ -233,8 +233,8 @@ if(!empty($_SESSION['_gid']))
$group_document = true;
$noPHP_SELF=true;
}
$interbreadcrumb[]=array("url"=>"./document.php?curdirpath=".urlencode($_GET['curdirpath']).$req_gid, "name"=> get_lang('Documents'));
$my_cur_dir_path=Security::remove_XSS($_GET['curdirpath']);
$interbreadcrumb[]=array("url"=>"./document.php?curdirpath=".urlencode($my_cur_dir_path).$req_gid, "name"=> get_lang('Documents'));
$is_allowedToEdit = is_allowed_to_edit() || $_SESSION['group_member_with_upload_rights'];
@ -631,8 +631,9 @@ $owner_id = Database::result($rs,0,'insert_user_id');
if ($owner_id == $_user['user_id'] || api_is_platform_admin() || api_is_allowed_to_edit() || GroupManager :: is_user_in_group($_user['user_id'],$_SESSION['_gid'] ))
{
$action = api_get_self().'?sourceFile='.urlencode($file_name).'&curdirpath='.urlencode($_GET['curdirpath']).'&file='.urlencode($_GET['file']).'&doc='.urlencode($doc);
$get_cur_path=Security::remove_XSS($_GET['curdirpath']);
$get_file=Security::remove_XSS($_GET['file']);
$action = api_get_self().'?sourceFile='.urlencode($file_name).'&curdirpath='.urlencode($get_cur_path).'&file='.urlencode($get_file).'&doc='.urlencode($doc);
$form = new FormValidator('formEdit','post',$action);
// form title
@ -699,7 +700,7 @@ if ($owner_id == $_user['user_id'] || api_is_platform_admin() || api_is_allowed_
$defaults['filename'] = $filename;
$defaults['extension'] = $extension;
$defaults['file_path'] = $_GET['file'];
$defaults['file_path'] = Security::remove_XSS($_GET['file']);
$defaults['commentPath'] = $file;
$defaults['renameTo'] = $file_name;
$defaults['newComment'] = $oldComment;

2
main/document/footerpage.php
Unescape View File

@ -4,7 +4,7 @@
* @package dokeos.document
==============================================================================
*/
include('../inc/global.inc.php');
require_once '../inc/global.inc.php';
?>
<html>

45
main/document/headerpage.php
Unescape View File

@ -8,28 +8,27 @@
$language_file = 'document';
include('../inc/global.inc.php');
$noPHP_SELF=true;
$header_file= Security::remove_XSS($_GET['file']);
$path_array=explode('/',str_replace('\\','/',$header_file));
$path_array = array_map('urldecode',$path_array);
$header_file=implode('/',$path_array);
$nameTools = $header_file;
if(isset($_SESSION['_gid']) && $_SESSION['_gid']!='')
{
$req_gid = '&amp;gidReq='.$_SESSION['_gid'];
$interbreadcrumb[]= array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['_gid'], "name"=> get_lang('GroupSpace'));
}
$interbreadcrumb[]= array ("url"=>"./document.php?curdirpath=".dirname($header_file).$req_gid, "name"=> $langDocuments);
$interbreadcrumb[]= array ("url"=>"showinframes.php?file=".$header_file, "name"=>$header_file);
Display::display_header(null,"Doc");
echo "<div align=\"center\">";
echo "<a href='".api_get_path('WEB_COURSE_PATH').$_course['path'].'/document'.$header_file."?".api_get_cidreq()."' target='blank'>".$lang_cut_paste_link."</a></div>";
require_once '../inc/global.inc.php';
$noPHP_SELF=true;
$header_file= Security::remove_XSS($_GET['file']);
$path_array=explode('/',str_replace('\\','/',$header_file));
$path_array = array_map('urldecode',$path_array);
$header_file=implode('/',$path_array);
$nameTools = $header_file;
if(isset($_SESSION['_gid']) && $_SESSION['_gid']!='') {
$req_gid = '&amp;gidReq='.$_SESSION['_gid'];
$interbreadcrumb[]= array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['_gid'], "name"=> get_lang('GroupSpace'));
}
$interbreadcrumb[]= array ("url"=>"./document.php?curdirpath=".dirname($header_file).$req_gid, "name"=> $langDocuments);
$interbreadcrumb[]= array ("url"=>"showinframes.php?file=".$header_file, "name"=>$header_file);
Display::display_header(null,"Doc");
echo "<div align=\"center\">";
echo "<a href='".api_get_path('WEB_COURSE_PATH').$_course['path'].'/document'.$header_file."?".api_get_cidreq()."' target='blank'>".$lang_cut_paste_link."</a></div>";
?>

8
main/document/quota.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: quota.php 20420 2009-05-08 20:11:57Z herodoto $
<?php // $Id: quota.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -34,11 +34,11 @@
$language_file = 'document';
// including the global dokeos file
include("../inc/global.inc.php");
require_once "../inc/global.inc.php";
// including additional libraries
include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
include_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
// some constants and variables
$courseDir = $_course['path']."/document";

8
main/document/showinframes.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: showinframes.php 17403 2008-12-20 15:27:21Z herodoto $
<?php // $Id: showinframes.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -53,14 +53,14 @@
==============================================================================
*/
$language_file[] = 'document';
include('../inc/global.inc.php');
require_once '../inc/global.inc.php';
if (!empty($_GET['nopages']))
{
$nopages=Security::remove_XSS($_GET['nopages']);
if ($nopages==1)
{
require_once(api_get_path(INCLUDE_PATH) . 'reduced_header.inc.php');
require_once api_get_path(INCLUDE_PATH) . 'reduced_header.inc.php';
Display::display_error_message(get_lang('FileNotFound'));
}
exit();
@ -84,7 +84,7 @@ header('Last-Modified: Wed, 01 Jan 2100 00:00:00 GMT');
header('Cache-Control: no-cache, must-revalidate');
header('Pragma: no-cache');
$browser_display_title = "Dokeos Documents - " . $_GET['cidReq'] . " - " . $file;
$browser_display_title = "Dokeos Documents - " . Security::remove_XSS($_GET['cidReq']) . " - " . $file;
//only admins get to see the "no frames" link in pageheader.php, so students get a header that's not so high
$frameheight = 135;

20
main/document/upload.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: upload.php 20798 2009-05-18 18:13:25Z cvargas1 $
<?php // $Id: upload.php 21106 2009-05-30 16:25:16Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -59,15 +59,15 @@
$language_file = 'document';
// including the global Dokeos file
include("../inc/global.inc.php");
require_once "../inc/global.inc.php";
// including additional libraries
include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
include_once(api_get_path(LIBRARY_PATH) . 'events.lib.inc.php');
include_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
require_once(api_get_path(LIBRARY_PATH) . 'specific_fields_manager.lib.php');
require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
include('document.inc.php');
require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'events.lib.inc.php';
require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'specific_fields_manager.lib.php';
require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
require_once 'document.inc.php';
// adding extra javascript to the form
$htmlHeadXtra[] =
@ -324,8 +324,8 @@ if(isset($_FILES['user_upload']))
$courseid = api_get_course_id();
isset($_POST['language'])? $lang=Database::escape_string($_POST['language']): $lang = 'english';
require_once(api_get_path(LIBRARY_PATH).'search/DokeosIndexer.class.php');
require_once(api_get_path(LIBRARY_PATH).'search/IndexableChunk.class.php');
require_once api_get_path(LIBRARY_PATH).'search/DokeosIndexer.class.php';
require_once api_get_path(LIBRARY_PATH).'search/IndexableChunk.class.php';
$ic_slide = new IndexableChunk();
$ic_slide->addValue("title", $file_title);

Write Preview
Loading…
Cancel
Save