MDL-47868 ws: verify upload areas
authorPetr Skoda <petr.skoda@totaralms.com>
Mon, 3 Nov 2014 19:52:26 +0000 (08:52 +1300)
committerEloy Lafuente (stronk7) <stronk7@moodle.org>
Tue, 4 Nov 2014 00:48:17 +0000 (01:48 +0100)
webservice/upload.php

index 93310cd..03503b2 100644 (file)
@@ -68,6 +68,11 @@ if ($fileuploaddisabled) {
 $context = context_user::instance($USER->id);
 require_capability('moodle/user:manageownfiles', $context);
 
+if ($filearea !== 'private' and $filearea !== 'draft') {
+    // Do not dare to allow more areas here!
+    throw new file_exception('error');
+}
+
 $fs = get_file_storage();
 
 $totalsize = 0;