MDL-22991, validate data that was encoded in base64
authorDongsheng Cai <unoter@gmail.com>
Tue, 6 Jul 2010 05:33:43 +0000 (05:33 +0000)
committerDongsheng Cai <unoter@gmail.com>
Tue, 6 Jul 2010 05:33:43 +0000 (05:33 +0000)
repository/local/lib.php
repository/recent/lib.php
repository/user/lib.php

index ca06fdf..184d889 100755 (executable)
  * @since 2.0
  * @package moodlecore
  * @subpackage repository
- * @copyright 2009 Dongsheng Cai
- * @author Dongsheng Cai <dongsheng@moodle.com>
+ * @copyright 2009 Dongsheng Cai <dongsheng@moodle.com>
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
 class repository_local extends repository {
 
-    /**
-     * initialize local plugin
-     * @param int $repositoryid
-     * @param int $context
-     * @param array $options
-     */
-    public function __construct($repositoryid, $context = SYSCONTEXTID, $options = array()) {
-        parent::__construct($repositoryid, $context, $options);
-    }
-
     /**
      * local plugin doesn't require login, so list all files
      * @return mixed
@@ -46,15 +35,6 @@ class repository_local extends repository {
         return $this->get_listing();
     }
 
-    /**
-     * Not supported by File API yet
-     * @param string $search_text
-     * @return mixed
-     */
-    public function search($search_text) {
-        return array();
-    }
-
     /**
      * Get file listing
      *
@@ -72,11 +52,11 @@ class repository_local extends repository {
         if (!empty($encodedpath)) {
             $params = unserialize(base64_decode($encodedpath));
             if (is_array($params)) {
-                $itemid   = $params['itemid'];
-                $filename = $params['filename'];
-                $filearea = $params['filearea'];
-                $filepath = $params['filepath'];
-                $context  = get_context_instance_by_id($params['contextid']);
+                $itemid   = clean_param($params['itemid'], PARAM_INT);
+                $filename = clean_param($params['filename'], PARAM_FILE);
+                $filearea = clean_param($params['filearea'], PARAM_ALPHAEXT);
+                $filepath = clean_param($params['filepath'], PARAM_PATH);;
+                $context  = get_context_instance_by_id(clean_param($params['contextid'], PARAM_INT));
             }
         } else {
             $itemid   = null;
@@ -86,69 +66,65 @@ class repository_local extends repository {
             $context  = get_system_context();
         }
 
-        try {
-            $browser = get_file_browser();
-
-            if ($fileinfo = $browser->get_file_info($context, $filearea, $itemid, $filepath, $filename)) {
-                // build path navigation
-                $pathnodes = array();
-                $encodedpath = base64_encode(serialize($fileinfo->get_params()));
-                $pathnodes[] = array('name'=>$fileinfo->get_visible_name(), 'path'=>$encodedpath);
-                $level = $fileinfo->get_parent();
-                while ($level) {
-                    $encodedpath = base64_encode(serialize($level->get_params()));
-                    $pathnodes[] = array('name'=>$level->get_visible_name(), 'path'=>$encodedpath);
-                    $level = $level->get_parent();
-                }
-                if (!empty($pathnodes) && is_array($pathnodes)) {
-                    $pathnodes = array_reverse($pathnodes);
-                    $ret['path'] = $pathnodes;
-                }
-                // build file tree
-                $children = $fileinfo->get_children();
-                foreach ($children as $child) {
-                    $shorttitle = $this->get_short_filename($child->get_visible_name(), 12);
-                    if ($child->is_directory()) {
-                        $params = $child->get_params();
-                        $subdir_children = $child->get_children();
-                        if (empty($subdir_children)) {
-                            continue;
-                        }
-                        $encodedpath = base64_encode(serialize($params));
-                        // hide user_private area from local plugin, user should
-                        // use private file plugin to access private files
-                        if ($params['filearea'] == 'user_private') {
-                            continue;
-                        }
-                        $node = array(
-                            'title' => $child->get_visible_name(),
-                            'shorttitle'=>$shorttitle,
-                            'size' => 0,
-                            'date' => '',
-                            'path' => $encodedpath,
-                            'children'=>array(),
-                            'thumbnail' => $OUTPUT->pix_url('f/folder-32') . ''
-                        );
-                        $list[] = $node;
-                    } else {
-                        $encodedpath = base64_encode(serialize($child->get_params()));
-                        $icon = 'f/'.str_replace('.gif', '', mimeinfo('icon', $child->get_visible_name())).'-32';
-                        $node = array(
-                            'title' => $child->get_visible_name(),
-                            'shorttitle'=>$shorttitle,
-                            'size' => 0,
-                            'date' => '',
-                            'source'=> $encodedpath,
-                            'thumbnail' => $OUTPUT->pix_url($icon) . '',
-                        );
-                        $list[] = $node;
-                    }
+        $browser = get_file_browser();
+
+        if ($fileinfo = $browser->get_file_info($context, $filearea, $itemid, $filepath, $filename)) {
+            echo_fb($fileinfo);
+            // build path navigation
+            $pathnodes = array();
+            $encodedpath = base64_encode(serialize($fileinfo->get_params()));
+            $pathnodes[] = array('name'=>$fileinfo->get_visible_name(), 'path'=>$encodedpath);
+            $level = $fileinfo->get_parent();
+            while ($level) {
+                $encodedpath = base64_encode(serialize($level->get_params()));
+                $pathnodes[] = array('name'=>$level->get_visible_name(), 'path'=>$encodedpath);
+                $level = $level->get_parent();
+            }
+            if (!empty($pathnodes) && is_array($pathnodes)) {
+                $pathnodes = array_reverse($pathnodes);
+                $ret['path'] = $pathnodes;
+            }
+            // build file tree
+            $children = $fileinfo->get_children();
+            foreach ($children as $child) {
+                $shorttitle = $this->get_short_filename($child->get_visible_name(), 12);
+                if ($child->is_directory()) {
+                    $params = $child->get_params();
+                    $subdir_children = $child->get_children();
+                    //if (empty($subdir_children)) {
+                        //continue;
+                    //}
+                    $encodedpath = base64_encode(serialize($params));
+                    // hide user_private area from local plugin, user should
+                    // use private file plugin to access private files
+                    //if ($params['filearea'] == 'user_private') {
+                        //continue;
+                    //}
+                    $node = array(
+                        'title' => $child->get_visible_name(),
+                        'shorttitle'=>$shorttitle,
+                        'size' => 0,
+                        'date' => '',
+                        'path' => $encodedpath,
+                        'children'=>array(),
+                        'thumbnail' => $OUTPUT->pix_url('f/folder-32') . ''
+                    );
+                    $list[] = $node;
+                } else {
+                    $encodedpath = base64_encode(serialize($child->get_params()));
+                    $icon = 'f/'.str_replace('.gif', '', mimeinfo('icon', $child->get_visible_name())).'-32';
+                    $node = array(
+                        'title' => $child->get_visible_name(),
+                        'shorttitle'=>$shorttitle,
+                        'size' => 0,
+                        'date' => '',
+                        'source'=> $encodedpath,
+                        'thumbnail' => $OUTPUT->pix_url($icon) . '',
+                    );
+                    $list[] = $node;
                 }
             }
-        } catch (Exception $e) {
-            throw new repository_exception('emptyfilelist', 'repository_local');
         }
-        $ret['list'] = $list;
         $ret['list'] = array_filter($list, array($this, 'filter'));
         return $ret;
     }
@@ -182,26 +158,25 @@ class repository_local extends repository {
      * @param string $new_filepath the new path in draft area
      * @return array The information of file
      */
-    public function copy_to_area($encoded, $new_filearea='user_draft', $new_itemid = '', $new_filepath = '/', $new_filename = '') {
+    public function copy_to_area($encoded, $new_filearea='draft', $new_itemid = '', $new_filepath = '/', $new_filename = '') {
         global $USER, $DB;
         $info = array();
 
         $browser = get_file_browser();
-        $params = unserialize(base64_decode($encoded));
         $user_context = get_context_instance(CONTEXT_USER, $USER->id);
+
         // the final file
-        $contextid  = $params['contextid'];
-        $filearea   = $params['filearea'];
-        $filepath   = $params['filepath'];
-        $filename   = $params['filename'];
-        $fileitemid = $params['itemid'];
-        $context    = get_context_instance_by_id($contextid);
-        try {
-            $file_info = $browser->get_file_info($context, $filearea, $fileitemid, $filepath, $filename);
-            $file_info->copy_to_storage($user_context->id, $new_filearea, $new_itemid, $new_filepath, $new_filename);
-        } catch (Exception $e) {
-            throw $e;
-        }
+        $params = unserialize(base64_decode($encoded));
+        $contextid  = clean_param($params['contextid'], PARAM_INT);
+        $fileitemid = clean_param($params['itemid'], PARAM_INT);
+        $filename = clean_param($params['filename'], PARAM_FILE);
+        $filepath = clean_param($params['filepath'], PARAM_PATH);;
+        $filearea = clean_param($params['filearea'], PARAM_ALPHAEXT);
+
+        $context = get_context_instance_by_id($contextid);
+
+        $file_info = $browser->get_file_info($context, $filearea, $fileitemid, $filepath, $filename);
+        $file_info->copy_to_storage($user_context->id, $new_filearea, $new_itemid, $new_filepath, $new_filename);
 
         $info['itemid'] = $new_itemid;
         $info['title']  = $new_filename;
index c431950..5f5216e 100755 (executable)
@@ -21,8 +21,7 @@
  * @since 2.0
  * @package moodlecore
  * @subpackage repository
- * @copyright 2010 Dongsheng Cai
- * @author Dongsheng Cai <dongsheng@moodle.com>
+ * @copyright 2010 Dongsheng Cai <dongsheng@moodle.com>
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
@@ -54,15 +53,6 @@ class repository_recent extends repository {
         return $this->get_listing();
     }
 
-    /**
-     * Not supported by File API yet
-     * @param string $search_text
-     * @return mixed
-     */
-    public function search($search_text) {
-        return array();
-    }
-
     private function get_recent_files($limitfrom = 0, $limit = DEFAULT_RECENT_FILES_NUM) {
         global $USER, $DB;
         // TODO: should exclude user_draft area files?
@@ -167,19 +157,20 @@ class repository_recent extends repository {
      * @param string $new_filepath the new path in draft area
      * @return array The information of file
      */
-    public function copy_to_area($encoded, $new_filearea='user_draft', $new_itemid = '', $new_filepath = '/', $new_filename = '') {
+    public function copy_to_area($encoded, $new_filearea='draft', $new_itemid = '', $new_filepath = '/', $new_filename = '') {
         global $USER, $DB;
-        $info = array();
+
+        $user_context = get_context_instance(CONTEXT_USER, $USER->id);
+
         $fs = get_file_storage();
 
         $params = unserialize(base64_decode($encoded));
-        $user_context = get_context_instance(CONTEXT_USER, $USER->id);
 
-        $contextid  = $params['contextid'];
-        $filearea   = $params['filearea'];
-        $filepath   = $params['filepath'];
-        $filename   = $params['filename'];
-        $fileitemid = $params['itemid'];
+        $contextid  = clean_param($params['contextid'], PARAM_INT);
+        $fileitemid = clean_param($params['itemid'], PARAM_INT);
+        $filename = clean_param($params['filename'], PARAM_FILE);
+        $filepath = clean_param($params['filepath'], PARAM_PATH);;
+        $filearea = clean_param($params['filearea'], PARAM_ALPHAEXT);
 
         // XXX:
         // When user try to pick a file from other filearea, normally file api will use file browse to
@@ -197,6 +188,7 @@ class repository_recent extends repository {
             $fs->create_file_from_storedfile($file_record, $stored_file);
         }
 
+        $info = array();
         $info['title']  = $new_filename;
         $info['itemid'] = $new_itemid;
         $info['filesize']  = $stored_file->get_filesize();
index e3eabc1..dfb4d98 100755 (executable)
  * @since 2.0
  * @package moodlecore
  * @subpackage repository
- * @copyright 2010 Dongsheng Cai
- * @author Dongsheng Cai <dongsheng@moodle.com>
- * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ * @copyright 2010 Dongsheng Cai <dongsheng@moodle.com>
+ * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
 class repository_user extends repository {
 
-    /**
-     * initialize user plugin
-     * @param int $repositoryid
-     * @param int $context
-     * @param array $options
-     */
-    public function __construct($repositoryid, $context = SYSCONTEXTID, $options = array()) {
-        parent::__construct($repositoryid, $context, $options);
-    }
-
     /**
      * user plugin doesn't require login
      * @return mixed
@@ -46,15 +35,6 @@ class repository_user extends repository {
         return $this->get_listing();
     }
 
-    /**
-     * Not supported by File API yet
-     * @param string $search_text
-     * @return mixed
-     */
-    public function search($search_text) {
-        return array();
-    }
-
     /**
      * Get file listing
      *
@@ -72,11 +52,11 @@ class repository_user extends repository {
         if (!empty($encodedpath)) {
             $params = unserialize(base64_decode($encodedpath));
             if (is_array($params)) {
-                $itemid   = $params['itemid'];
-                $filename = $params['filename'];
-                $filearea = $params['filearea'];
-                $filepath = $params['filepath'];
-                $context  = get_context_instance_by_id($params['contextid']);
+                $itemid   = clean_param($params['itemid'], PARAM_INT);
+                $filename = clean_param($params['filename'], PARAM_FILE);
+                $filearea = clean_param($params['filearea'], PARAM_ALPHAEXT);
+                $filepath = clean_param($params['filepath'], PARAM_PATH);;
+                $context  = get_context_instance_by_id(clean_param($params['contextid'], PARAM_INT));
             }
         } else {
             $itemid   = 0;
@@ -166,27 +146,24 @@ class repository_user extends repository {
      * @param string $new_filepath the new path in draft area
      * @return array The information of file
      */
-    public function copy_to_area($encoded, $new_filearea='user_draft', $new_itemid = '', $new_filepath = '/', $new_filename = '') {
+    public function copy_to_area($encoded, $new_filearea='draft', $new_itemid = '', $new_filepath = '/', $new_filename = '') {
         global $USER, $DB;
-        $info = array();
 
         $browser = get_file_browser();
         $params = unserialize(base64_decode($encoded));
         $user_context = get_context_instance(CONTEXT_USER, $USER->id);
-        // the final file
-        $contextid  = $params['contextid'];
-        $filearea   = $params['filearea'];
-        $filepath   = $params['filepath'];
-        $filename   = $params['filename'];
-        $fileitemid = $params['itemid'];
+
+        $contextid  = clean_param($params['contextid'], PARAM_INT);
+        $fileitemid = clean_param($params['itemid'], PARAM_INT);
+        $filename = clean_param($params['filename'], PARAM_FILE);
+        $filepath = clean_param($params['filepath'], PARAM_PATH);;
+        $filearea = clean_param($params['filearea'], PARAM_ALPHAEXT);
+
         $context    = get_context_instance_by_id($contextid);
-        try {
-            $file_info = $browser->get_file_info($context, $filearea, $fileitemid, $filepath, $filename);
-            $file_info->copy_to_storage($user_context->id, $new_filearea, $new_itemid, $new_filepath, $new_filename);
-        } catch (Exception $e) {
-            throw $e;
-        }
+        $file_info = $browser->get_file_info($context, $filearea, $fileitemid, $filepath, $filename);
+        $file_info->copy_to_storage($user_context->id, $new_filearea, $new_itemid, $new_filepath, $new_filename);
 
+        $info = array();
         $info['itemid'] = $new_itemid;
         $info['title']  = $new_filename;
         $info['contextid'] = $user_context->id;