moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 00:46:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

better protection of JS minify script

Browse source
This commit is contained in:
Petr Skoda 2010-05-22 19:28:29 +00:00
parent 5a75ac0ab6
commit 7a2df05c76
1 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

28
lib/javascript.php
View file

@ -34,13 +34,29 @@ require_once('Minify.php');
$file = min_optional_param('file', '', 'RAW'); $file = min_optional_param('file', '', 'RAW');
$rev = min_optional_param('rev', 0, 'INT'); $rev = min_optional_param('rev', 0, 'INT');
if (strpos($file, ',')) { // some security first - pick only files with .js extension in dirroot
$jsfiles = explode(',', $file); $jsfiles = array();
foreach ($jsfiles as $key=>$file) { $files = explode(',', $file);
$jsfiles[$key] = $CFG->dirroot.$file; foreach ($files as $fsfile) {
$jsfile = realpath($CFG->dirroot.$fsfile);
if ($jsfile === false) {
// does not exist
continue;
} }
} else { if (strpos($jsfile, $CFG->dirroot . DIRECTORY_SEPARATOR) !== 0) {
$jsfiles = array($CFG->dirroot.$file); // hackers - not in dirroot
continue;
}
if (substr($jsfile, -1) !== '.js') {
// hackers - not a JS file
continue;
}
$jsfiles[] = $jsfile;
}
if (!$jsfiles) {
// bad luck - no valid files
die();
} }
minify($jsfiles); minify($jsfiles);