Commit 1daf1c98 authored by Nigel McNie's avatar Nigel McNie Committed by Nigel McNie
Browse files
parents 45342efc 858fb2c3
......@@ -646,4 +646,49 @@ function validate_username($username) {
return preg_match('/^[a-zA-Z0-9_\.@]+$/', $username);
}
/**
* Function to require a plugin file. This is to avoid doing
* require and include directly with variables.
* This function is the one safe point to require plugin files.
* so USE it :)
* @param string $plugintype the type of plugin (eg artefact)
* @param string $pluginname the name of the plugin (eg blog)
* @param string $filename the name of the file to include within the plugin structure
* @param string $function (optional, defaults to require) the require/include function to use
* @param string $nonfatal (optional, defaults to false) just returns false if the file doesn't exist
*/
function safe_require($plugintype, $pluginname, $filename, $function='require', $nonfatal=false) {
$plugintype = clean_filename($plugintype);
$pluginname = clean_filename($pluginname);
if (!in_array($function,array('require','include','require_once','include_once'))) {
if (!empty($nonfatal)) {
return false;
}
throw new Exception ('invalid require type');
}
$fullpath = get_config('docroot') . $plugintype . '/' . $pluginname . '/' . $filename;
if (!$realpath = realpath($fullpath)) {
if (!empty($nonfatal)) {
return false;
}
throw new Exception ("File $fullpath did not exist");
}
if (strpos($realpath, get_config('docroot') !== 0)) {
if (!empty($nonfatal)) {
return false;
}
throw new Exception ("File $fullpath was outside document root!");
}
if ($function == 'require') { return require($realpath); }
if ($function == 'include') { return include($realpath); }
if ($function == 'require_once') { return require_once($realpath); }
if ($function == 'include_once') { return include_once($realpath); }
}
?>
......@@ -258,6 +258,7 @@ function clean_param($param, $type) {
return eregi_replace('[^a-zA-Z0-9_-]', '', $param);
case PARAM_CLEANFILE: // allow only safe characters
// @todo this function hasn't been ported from moodle yet.
return clean_filename($param);
case PARAM_FILE: // Strip all suspicious characters from filename
......@@ -443,4 +444,10 @@ function cleanAttributes2($htmlArray){
return '<'. $slash . $elem . $attStr . $xhtml_slash .'>';
}
function clean_filename($filename) {
//@todo
return $filename;
}
?>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment