| commit | 0289be1321babfa588fb5b18ebb08a296eed9eee | |
| author | Damyon Wiese <damyon@moodle.com> | |
| Tue, 27 Jan 2015 15:16:10 +0000 (27 23:16 +0800) | ||
| committer | David Monllao <davidm@moodle.com> | |
| Wed, 28 Jan 2015 06:38:01 +0000 (28 14:38 +0800) | ||
| tree | 3dbf1f60d9c52ee230dc59365d40b2f662537669 | treesnapshot (tar.gz zip) |
| parent | 365e0555eedabaaccd401e023eaab712d985bcda | commitdiff |
MDL-48980 Security: Always clean the result from min_get_slash_argument
The result from this function is used in send_file calls and if unclean
(windows dir separators, or .. path components) it could expose sensitive
files (e.g. .php files). Now we always clean the result from this function
even if it means double cleaning.
I also fixed the unit test for this function and added a new test for this cleaning.
I also updated the comments to point to get_file_argument as the full version of
min_get_slash_argument.
The result from this function is used in send_file calls and if unclean
(windows dir separators, or .. path components) it could expose sensitive
files (e.g. .php files). Now we always clean the result from this function
even if it means double cleaning.
I also fixed the unit test for this function and added a new test for this cleaning.
I also updated the comments to point to get_file_argument as the full version of
min_get_slash_argument.
| lib/configonlylib.php | diffblobblamehistory | |
| lib/tests/configonlylib_test.php | diffblobblamehistory |