}
foreach ($matches[2] as $match) {
$file = str_replace(array('$@FILEPHP@$', '$@SLASH@$', '$@FORCEDOWNLOAD@$'), array('', '/', ''), $match);
- $files[] = rawurldecode($file);
+ if ($file === clean_param($file, PARAM_PATH)) {
+ $files[] = rawurldecode($file);
+ }
}
return array_unique($files);
$sourcefullpath = $this->basepath.'/'.$sourcepath;
+ if ($sourcefullpath !== clean_param($sourcefullpath, PARAM_PATH)) {
+ throw new moodle1_convert_exception('file_invalid_path', $sourcefullpath);
+ }
+
if (!is_readable($sourcefullpath)) {
throw new moodle1_convert_exception('file_not_readable', $sourcefullpath);
}