Clean $type parameter + clean, check_abs_path removes folder references

#security

main/document/download_uploaded_files.php

@@ -16,6 +16,8 @@ $courseInfo = api_get_course_info($courseCode);
 if (empty($courseInfo)) {
     $courseInfo = api_get_course_info();
 }
+$type = preg_replace("/[^a-zA-Z]+/", '', $type);
+
 if (empty($courseInfo) || empty($type) || empty($file)) {
     api_not_allowed(true);
 }

main/inc/lib/security.lib.php

@@ -58,6 +58,8 @@ class Security
             return false;
         }
 
+        // Clean $abs_path.
+        $abs_path = str_replace(['//', '../', './'], ['/', '', ''], $abs_path);
         $true_path = str_replace("\\", '/', realpath($abs_path));
         $checker_path = str_replace("\\", '/', realpath($checker_path));