chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r21110] logic changes - improvements in security in exercice tool - (partial FS#4261)

Browse Source
skala
Isaac Flores 16 years ago
parent ea295745d0
commit fa945c9dfc
3 changed files with 21 additions and 21 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 32
      main/exercice/exercice.php
  2. 8
      main/exercice/exercice_submit.php
  3. 2
      main/inc/lib/main_api.lib.php

32
main/exercice/exercice.php
Unescape View File

@ -1,5 +1,5 @@
<?php
// $Id: exercice.php 20982 2009-05-25 22:49:12Z aportugal $
// $Id: exercice.php 21110 2009-05-30 17:33:08Z iflorespaz $
/*
==============================================================================
@ -38,8 +38,8 @@
$language_file = 'exercice';
// including the global library
require_once ('../inc/global.inc.php');
require_once ('../gradebook/lib/be.inc.php');
require_once '../inc/global.inc.php';
require_once '../gradebook/lib/be.inc.php';
// setting the tabs
$this_section = SECTION_COURSES;
@ -49,16 +49,16 @@ api_protect_course_script(true);
$show = (isset ($_GET['show']) && $_GET['show'] == 'result') ? 'result' : 'test'; // moved down to fix bug: http://www.dokeos.com/forum/viewtopic.php?p=18609#18609
// including additional libraries
require_once ('exercise.class.php');
require_once ('question.class.php');
require_once ('answer.class.php');
require_once (api_get_path(LIBRARY_PATH) . 'fileManage.lib.php');
require_once (api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
require_once ('hotpotatoes.lib.php');
require_once (api_get_path(LIBRARY_PATH) . 'document.lib.php');
include (api_get_path(LIBRARY_PATH) . 'mail.lib.inc.php');
include (api_get_path(LIBRARY_PATH) . 'usermanager.lib.php');
include_once (api_get_path(LIBRARY_PATH) . 'events.lib.inc.php');
require_once 'exercise.class.php';
require_once 'question.class.php';
require_once 'answer.class.php';
require_once api_get_path(LIBRARY_PATH) . 'fileManage.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
require_once 'hotpotatoes.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'mail.lib.inc.php';
require_once api_get_path(LIBRARY_PATH) . 'usermanager.lib.php';
require_once api_get_path(LIBRARY_PATH) . 'events.lib.inc.php';
/*
-----------------------------------------------------------
@ -135,8 +135,8 @@ if (empty ($exerciseId)) {
if (empty ($file)) {
$file = Database :: escape_string($_REQUEST['file']);
}
$learnpath_id = Database :: escape_string($_REQUEST['learnpath_id']);
$learnpath_item_id = Database :: escape_string($_REQUEST['learnpath_item_id']);
$learnpath_id = Database :: escape_string(Security::remove_XSS($_REQUEST['learnpath_id']));
$learnpath_item_id = Database :: escape_string(Security::remove_XSS($_REQUEST['learnpath_item_id']));
$page = Database :: escape_string($_REQUEST['page']);
if ($origin == 'learnpath') {
@ -147,7 +147,7 @@ if ($_GET['delete'] == 'delete' && ($is_allowedToEdit || api_is_coach()) && !emp
$sql = 'DELETE FROM ' . Database :: get_statistic_table(TABLE_STATISTIC_TRACK_E_EXERCICES) . ' WHERE exe_id = ' . $_GET['did']; //_GET[did] filtered by entry condition
api_sql_query($sql, __FILE__, __LINE__);
$filter=Security::remove_XSS($_GET['filter']);
header('Location: exercice.php?cidReq=' . htmlentities($_GET['cidReq']) . '&show=result&filter=' . $filter . '');
header('Location: exercice.php?cidReq=' . Security::remove_XSS($_GET['cidReq']) . '&show=result&filter=' . $filter . '');
exit;
}

8
main/exercice/exercice_submit.php
Unescape View File

@ -1,5 +1,5 @@
<?php
// $Id: exercice_submit.php 21085 2009-05-29 17:38:35Z juliomontoya $
// $Id: exercice_submit.php 21110 2009-05-30 17:33:08Z iflorespaz $
/*
==============================================================================
@ -43,7 +43,7 @@
* @package dokeos.exercise
* @author Olivier Brouckaert
* @author Julio Montoya multiple fill in blank option added
* @version $Id: exercice_submit.php 21085 2009-05-29 17:38:35Z juliomontoya $
* @version $Id: exercice_submit.php 21110 2009-05-30 17:33:08Z iflorespaz $
*/
include ('exercise.class.php');
@ -92,10 +92,10 @@ if (empty ($origin)) {
$origin = $_REQUEST['origin'];
}
if (empty ($learnpath_id)) {
$learnpath_id = Database :: escape_string($_REQUEST['learnpath_id']);
$learnpath_id = Security::remove_XSS($_REQUEST['learnpath_id']);
}
if (empty ($learnpath_item_id)) {
$learnpath_item_id = Database :: escape_string($_REQUEST['learnpath_item_id']);
$learnpath_item_id = Security::remove_XSS($_REQUEST['learnpath_item_id']);
}
if (empty ($formSent)) {
$formSent = $_REQUEST['formSent'];

2
main/inc/lib/main_api.lib.php
Unescape View File

@ -876,7 +876,7 @@ function api_add_url_param($url, $param, $filter_xss=true) {
$url = $url.'?'.$param;
}
if ($filter_xss === true) {
$url = Security::remove_XSS($url);
$url = Security::remove_XSS(urldecode($url));
}
return $url;
}

Write Preview
Loading…
Cancel
Save