chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r21101] logic changes - improvements in security in agenda tool - (partial FS#4261)

Browse Source
skala
Isaac Flores 17 years ago
parent 5db18576b6
commit fcea118f6b
7 changed files with 51 additions and 48 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 12
      main/calendar/agenda.inc.php
  2. 31
      main/calendar/agenda.php
  3. 6
      main/calendar/calendar.php
  4. 11
      main/calendar/download.php
  5. 14
      main/calendar/ical_export.php
  6. 2
      main/calendar/print.php
  7. 23
      main/inc/lib/groupmanager.lib.php

12
main/calendar/agenda.inc.php
Unescape View File

@ -1,4 +1,4 @@
<?php //$Id: agenda.inc.php 20999 2009-05-26 20:38:01Z aportugal $
<?php //$Id: agenda.inc.php 21101 2009-05-30 14:56:54Z iflorespaz $
/* For licensing terms, see /dokeos_license.txt */
/*
==============================================================================
@ -283,8 +283,8 @@ function display_minimonthcalendar($agendaitems, $month, $year, $monthName)
$dayone = getdate(mktime(0, 0, 0, $month, 1, $year));
//Start the week on monday
$startdayofweek = $dayone['wday'] <> 0 ? ($dayone['wday'] - 1) : 6;
$backwardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':$_GET['coursePath'])."&amp;courseCode=".(empty($_GET['courseCode'])?'':$_GET['courseCode'])."&amp;month=". ($month == 1 ? 12 : $month -1)."&amp;year=". ($month == 1 ? $year -1 : $year);
$forewardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':$_GET['coursePath'])."&amp;courseCode=".(empty($_GET['courseCode'])?'':$_GET['courseCode'])."&amp;month=". ($month == 12 ? 1 : $month +1)."&amp;year=". ($month == 12 ? $year +1 : $year);
$backwardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':Security::remove_XSS($_GET['coursePath']))."&amp;courseCode=".(empty($_GET['courseCode'])?'':Security::remove_XSS($_GET['courseCode']))."&amp;month=". ($month == 1 ? 12 : $month -1)."&amp;year=". ($month == 1 ? $year -1 : $year);
$forewardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':Security::remove_XSS($_GET['coursePath']))."&amp;courseCode=".(empty($_GET['courseCode'])?'':Security::remove_XSS($_GET['courseCode']))."&amp;month=". ($month == 12 ? 1 : $month +1)."&amp;year=". ($month == 12 ? $year +1 : $year);
echo "<table class=\"data_table\">\n",
"<tr>\n",
@ -1460,11 +1460,11 @@ function display_student_links()
global $show;
if ($_SESSION['sort'] == 'DESC')
{
echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=asc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".$_GET['origin']."'>".Display::return_icon('calendar_up.gif',get_lang('AgendaSortChronologicallyUp')).' '.get_lang("AgendaSortChronologicallyUp")."</a> ";
echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=asc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".Security::remove_XSS($_GET['origin'])."'>".Display::return_icon('calendar_up.gif',get_lang('AgendaSortChronologicallyUp')).' '.get_lang("AgendaSortChronologicallyUp")."</a> ";
}
else
{
echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=desc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".$_GET['origin']."'>".Display::return_icon('calendar_down.gif',get_lang('AgendaSortChronologicallyDown')).' '.get_lang("AgendaSortChronologicallyDown")."</a> ";
echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=desc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".Security::remove_XSS($_GET['origin'])."'>".Display::return_icon('calendar_down.gif',get_lang('AgendaSortChronologicallyDown')).' '.get_lang("AgendaSortChronologicallyDown")."</a> ";
}
// showing the link to show all items or only those of the current month
@ -4529,7 +4529,7 @@ function agenda_add_repeat_item($course_info,$orig_id,$type,$end,$orig_dest,$fil
$t_agenda = Database::get_course_table(TABLE_AGENDA,$course_info['dbName']);
$t_agenda_r = Database::get_course_table(TABLE_AGENDA_REPEAT,$course_info['dbName']);
//$sql = "SELECT title, content, UNIX_TIMESTAMP(start_date) as sd, UNIX_TIMESTAMP(end_date) as ed FROM $t_agenda WHERE id = $orig_id";
$sql = "SELECT title, content, start_date as sd, end_date as ed FROM $t_agenda WHERE id = $orig_id";
$sql = 'SELECT title, content, start_date as sd, end_date as ed FROM '. $t_agenda.' WHERE id ="'.Database::escape_string($orig_id).'" ';
$res = Database::query($sql,__FILE__,__LINE__);
if(Database::num_rows($res)!==1){return false;}
$row = Database::fetch_array($res);

31
main/calendar/agenda.php
Unescape View File

@ -1,4 +1,4 @@
<?php //$Id: agenda.php 20413 2009-05-08 16:23:16Z cfasanando $
<?php //$Id: agenda.php 21101 2009-05-30 14:56:54Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -38,7 +38,7 @@ include('../inc/global.inc.php');
//session
if(isset($_GET['id_session']))
{
$_SESSION['id_session'] = $_GET['id_session'];
$_SESSION['id_session'] = Security::remove_XSS($_GET['id_session']);
}
$this_section=SECTION_COURSES;
@ -58,25 +58,24 @@ api_protect_course_script();
-----------------------------------------------------------
*/
$_SESSION['source_type'] = 'Agenda';
include('../resourcelinker/resourcelinker.inc.php');
require_once(api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
require_once '../resourcelinker/resourcelinker.inc.php';
require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
if (!empty($addresources)) // When the "Add Resource" button is clicked we store all the form data into a session
{
$form_elements= array ('day'=>$_POST['fday'], 'month'=>$_POST['fmonth'], 'year'=>$_POST['fyear'], 'hour'=>$_POST['fhour'], 'minutes'=>$_POST['fminute'],
'end_day'=>$_POST['end_fday'], 'end_month'=>$_POST['end_fmonth'], 'end_year'=>$_POST['end_fyear'], 'end_hours'=>$_POST['end_fhour'], 'end_minutes'=>$_POST['end_fminute'],
'title'=>stripslashes($_POST['title']), 'content'=>stripslashes($_POST['content']), 'id'=>$_POST['id'], 'action'=>$_POST['action'], 'to'=>$_POST['selectedform']);
$form_elements= array ('day'=>Security::remove_XSS($_POST['fday']), 'month'=>Security::remove_XSS($_POST['fmonth']), 'year'=>Security::remove_XSS($_POST['fyear']), 'hour'=>Security::remove_XSS($_POST['fhour']), 'minutes'=>Security::remove_XSS($_POST['fminute']),
'end_day'=>Security::remove_XSS($_POST['end_fday']), 'end_month'=>Security::remove_XSS($_POST['end_fmonth']), 'end_year'=>Security::remove_XSS($_POST['end_fyear']), 'end_hours'=>Security::remove_XSS($_POST['end_fhour']), 'end_minutes'=>Security::remove_XSS($_POST['end_fminute']),
'title'=>Security::remove_XSS(stripslashes($_POST['title'])), 'content'=>Security::remove_XSS(stripslashes($_POST['content'])), 'id'=>Security::remove_XSS($_POST['id']), 'action'=>Security::remove_XSS($_POST['action']), 'to'=>Security::remove_XSS($_POST['selectedform']));
$_SESSION['formelements']=$form_elements;
if($id) // this is to correctly handle edits
{$action="edit";}
// this is to correctly handle edits
if($id){$action="edit";}
//print_r($form_elements);
header('Location: '.api_get_path(WEB_CODE_PATH)."resourcelinker/resourcelinker.php?source_id=1&action=$action&id=$id&originalresource=no");
exit;
}
if (!empty($_GET['view']))
{
$_SESSION['view'] = $_GET['view'];
if (!empty($_GET['view'])) {
$_SESSION['view'] = Security::remove_XSS($_GET['view']);
}
/*
@ -155,7 +154,7 @@ if ((!empty($_GET['user']) and $_GET['user']=="none") or (!empty($_GET['group'])
if (!$is_courseAdmin){
if (!empty($_GET['toolgroup'])){
//$_SESSION['toolgroup']=$_GET['toolgroup'];
$toolgroup=$_GET['toolgroup'];
$toolgroup=Security::remove_XSS($_GET['toolgroup']);
api_session_register('toolgroup');
}
}
@ -178,11 +177,11 @@ $nameTools = get_lang('Agenda'); // language variable in trad4all.inc.php
// showing the header if we are not in the learning path, if we are in
// the learning path, we do not include the banner so we have to explicitly
// include the stylesheet, which is normally done in the header
if ($_GET['toolgroup']){
if (isset($_GET['toolgroup']) && $_GET['toolgroup']==strval(intval($_GET['toolgroup'])) ){
$_clean['toolgroup']=(int)$_GET['toolgroup'];
$group_properties = GroupManager :: get_group_properties($_clean['toolgroup']);
$interbreadcrumb[] = array ("url" => "../group/group.php", "name" => get_lang('Groups'));
$interbreadcrumb[] = array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['toolgroup'], "name"=> get_lang('GroupSpace').' ('.$group_properties['name'].')');
$interbreadcrumb[] = array ("url"=>"../group/group_space.php?gidReq=".Security::remove_XSS($_GET['toolgroup']), "name"=> get_lang('GroupSpace').' ('.$group_properties['name'].')');
Display::display_header($nameTools,'Agenda');
} elseif (empty($_GET['origin']) or $_GET['origin'] != 'learnpath') {
@ -309,7 +308,7 @@ if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_ed
$end_m = intval($_POST['repeat_end_month']);
$end_d = intval($_POST['repeat_end_day']);
$end = mktime(23, 59, 59, $end_m, $end_d, $end_y);
$res = agenda_add_repeat_item($course_info,$id,$_POST['repeat_type'],$end,$_POST['selectedform'],$safe_file_comment);
$res = agenda_add_repeat_item($course_info,$id,Security::remove_XSS($_POST['repeat_type']),$end,Security::remove_XSS($_POST['selectedform']),$safe_file_comment);
}
}
break;

6
main/calendar/calendar.php
Unescape View File

@ -1,4 +1,4 @@
<?php //$Id: calendar.php 16723 2008-11-12 15:41:34Z pcool $
<?php //$Id: calendar.php 21101 2009-05-30 14:56:54Z iflorespaz $
/*
==============================================================================
Dokeos - elearning and course management software
@ -25,11 +25,11 @@
// name of the language file that needs to be included
$language_file = 'agenda';
// including the claroline global
include('../inc/global.inc.php');
require_once '../inc/global.inc.php';
//session
if(isset($_GET['id_session']))
$_SESSION['id_session'] = $_GET['id_session'];
$_SESSION['id_session'] = Security::remove_XSS($_GET['id_session']);
// the variables for the days and the months
// Defining the shorts for the days

11
main/calendar/download.php
Unescape View File

@ -38,11 +38,11 @@
session_cache_limiter('public');
include('../inc/global.inc.php');
require_once '../inc/global.inc.php';
$this_section=SECTION_COURSES;
require_once(api_get_path(LIBRARY_PATH).'document.lib.php');
include 'agenda.inc.php';
require_once api_get_path(LIBRARY_PATH).'document.lib.php';
require_once 'agenda.inc.php';
// IMPORTANT to avoid caching of documents
header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
header('Cache-Control: public');
@ -58,10 +58,9 @@ $doc_url = str_replace('///', '&', $doc_url);
$doc_url = str_replace(' ', '+', $doc_url);
$doc_url = str_replace('/..', '', $doc_url); //echo $doc_url;
include(api_get_path(LIBRARY_PATH).'events.lib.inc.php');
require_once api_get_path(LIBRARY_PATH).'events.lib.inc.php';
if (! isset($_course))
{
if (!isset($_course)) {
api_not_allowed(true);
}

14
main/calendar/ical_export.php
Unescape View File

@ -12,11 +12,11 @@ $language_file = 'agenda';
// we are not inside a course, so we reset the course id
$cidReset = true;
// setting the global file that gets the general configuration, the databases, the languages, ...
require_once ('../inc/global.inc.php');
require_once '../inc/global.inc.php';
$this_section = SECTION_MYAGENDA;
api_block_anonymous_users();
require_once (api_get_path(LIBRARY_PATH).'groupmanager.lib.php');
require_once (api_get_path(LIBRARY_PATH).'icalcreator/iCalcreator.class.php');
require_once api_get_path(LIBRARY_PATH).'groupmanager.lib.php';
require_once api_get_path(LIBRARY_PATH).'icalcreator/iCalcreator.class.php';
// setting the name of the tool
$nameTools = get_lang('MyAgenda');
@ -67,7 +67,7 @@ if(!empty($_GET['id']) && $_GET['id']==strval(intval($_GET['id'])))
require_once (api_get_path(SYS_CODE_PATH).'calendar/myagenda.inc.php');
$ai = get_personal_agenda_item($_GET['id']);
$vevent->setProperty( 'summary', api_convert_encoding($ai['title'],'UTF-8',$charset));
if(empty($ai['date'])){header('location:'.$_SERVER['HTTP_REFERER']);}
if(empty($ai['date'])){header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));}
list($y,$m,$d,$h,$M,$s) = preg_split('/[\s:-]/',$ai['date']);
$vevent->setProperty('dtstart',array('year'=>$y,'month'=>$m,'day'=>$d,'hour'=>$h,'min'=>$M,'sec'=>$s));
if(empty($ai['enddate']))
@ -97,7 +97,7 @@ if(!empty($_GET['id']) && $_GET['id']==strval(intval($_GET['id'])))
require_once (api_get_path(SYS_CODE_PATH).'calendar/agenda.inc.php');
$ai = get_agenda_item($_GET['id']);
$vevent->setProperty( 'summary', api_convert_encoding($ai['title'],'UTF-8',$charset));
if(empty($ai['start_date'])){header('location:'.$_SERVER['HTTP_REFERER']);}
if(empty($ai['start_date'])){header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));}
list($y,$m,$d,$h,$M,$s) = preg_split('/[\s:-]/',$ai['start_date']);
$vevent->setProperty('dtstart',array('year'=>$y,'month'=>$m,'day'=>$d,'hour'=>$h,'min'=>$M,'sec'=>$s));
if(empty($ai['end_date']))
@ -130,14 +130,14 @@ if(!empty($_GET['id']) && $_GET['id']==strval(intval($_GET['id'])))
$ical->returnCalendar();
break;
default:
header('location:'.$_SERVER['HTTP_REFERER']);
header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));
die();
}
}
}
else
{
header('location:'.$_SERVER['HTTP_REFERER']);
header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));
die();
}
?>

2
main/calendar/print.php
Unescape View File

@ -19,7 +19,7 @@ else
}
// setting the global file that gets the general configuration, the databases, the languages, ...
require('../inc/global.inc.php');
require_once '../inc/global.inc.php';

23
main/inc/lib/groupmanager.lib.php
Unescape View File

@ -33,11 +33,11 @@
* @package dokeos.library
==============================================================================
*/
require_once ('database.lib.php');
require_once ('course.lib.php');
require_once ('tablesort.lib.php');
require_once ('fileManage.lib.php');
require_once ('fileUpload.lib.php');
require_once 'database.lib.php';
require_once 'course.lib.php';
require_once 'tablesort.lib.php';
require_once 'fileManage.lib.php';
require_once 'fileUpload.lib.php';
/**
* infinite
*/
@ -973,11 +973,16 @@ class GroupManager
if (!$user_id > 0)
return false;
$table_group = Database :: get_course_table(TABLE_GROUP);
$group_id = Database::escape_string($group_id);
$sql = 'SELECT self_registration_allowed FROM '.$table_group.' WHERE id = '.$group_id;
$db_result = api_sql_query($sql,__FILE__,__LINE__);
$db_object = Database::fetch_object($db_result);
$group_id=(int)$group_id;
if (isset($group_id)) {
$group_id = Database::escape_string($group_id);
$sql = 'SELECT self_registration_allowed FROM '.$table_group.' WHERE id = "'.$group_id.'" ';
$db_result = api_sql_query($sql,__FILE__,__LINE__);
$db_object = Database::fetch_object($db_result);
return $db_object->self_registration_allowed == 1 && GroupManager :: can_user_subscribe($user_id, $group_id);
} else {
return false;
}
}
/**
* Is sef-unregistration allowed?

Write Preview
Loading…
Cancel
Save