MDL-68443 xmldb: Improve path validation on view_xml action
[moodle.git] / admin / tool / xmldb / actions / view_xml / view_xml.class.php
CommitLineData
0df0df23 1<?php
f25d53a9
EL
2// This file is part of Moodle - http://moodle.org/
3//
4// Moodle is free software: you can redistribute it and/or modify
5// it under the terms of the GNU General Public License as published by
6// the Free Software Foundation, either version 3 of the License, or
7// (at your option) any later version.
8//
9// Moodle is distributed in the hope that it will be useful,
10// but WITHOUT ANY WARRANTY; without even the implied warranty of
11// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12// GNU General Public License for more details.
13//
14// You should have received a copy of the GNU General Public License
15// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
8c15ae99 16
f25d53a9 17/**
85d6dd38 18 * @package tool_xmldb
b007a5d0
PS
19 * @copyright 2003 onwards Eloy Lafuente (stronk7) {@link http://stronk7.com}
20 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
f25d53a9 21 */
8c15ae99 22
f25d53a9
EL
23/**
24 * This class will display one XML file
25 *
85d6dd38 26 * @package tool_xmldb
b007a5d0
PS
27 * @copyright 2003 onwards Eloy Lafuente (stronk7) {@link http://stronk7.com}
28 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
f25d53a9 29 */
8c15ae99 30class view_xml extends XMLDBAction {
31
eef868d1 32 /**
8c15ae99 33 * Init method, every subclass will have its own
34 */
35 function init() {
36 parent::init();
35c4f1e2 37 // Set own core attributes
8c15ae99 38 $this->can_subaction = ACTION_NONE;
39 //$this->can_subaction = ACTION_HAVE_SUBACTIONS;
40
35c4f1e2 41 // Set own custom attributes
f25d53a9 42 $this->sesskey_protected = false; // This action doesn't need sesskey protection
8c15ae99 43
35c4f1e2 44 // Get needed strings
8c15ae99 45 $this->loadStrings(array(
35c4f1e2 46 // 'key' => 'module',
8c15ae99 47 ));
48 }
49
50 /**
51 * Invoke method, every class will have its own
52 * returns true/false on completion, setting both
53 * errormsg and output as necessary
85d6dd38 54 * @return mixed
8c15ae99 55 */
56 function invoke() {
57 parent::invoke();
58
59 $result = true;
60
35c4f1e2 61 // Set own core attributes
8c15ae99 62 $this->does_generate = ACTION_GENERATE_XML;
63
35c4f1e2 64 // These are always here
8c15ae99 65 global $CFG, $XMLDB;
66
35c4f1e2 67 // Do the job, setting result as needed
8c15ae99 68
35c4f1e2 69 // Get the file parameter
115a7365 70 $file = required_param('file', PARAM_PATH);
c80bcd56
BH
71
72 $fullpath = $CFG->dirroot . $file;
73 // File param must start with / and end with /db/install.xml to be safe.
74 if (substr($file, 0, 1) == '/' &&
75 substr($file, -15, 15) == '/db/install.xml') {
35c4f1e2 76 // Everything is ok. Load the file to memory
c80bcd56 77 $this->output = file_get_contents($fullpath);
8c15ae99 78 } else {
35c4f1e2 79 // Switch to HTML and error
8c15ae99 80 $this->does_generate = ACTION_GENERATE_HTML;
81 $this->errormsg = 'File not viewable (' . $file .')';
82 $result = false;
83 }
84
35c4f1e2 85 // Return ok if arrived here
8c15ae99 86 return $result;
87 }
88}
0df0df23 89