moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 16:36:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-90 Introducing MOODLE_SANE_INPUT and MOODLE_SANE_OUTPUT to setup.php

Browse source 
These two constants indicate that the Moodle core should not mangle
input (magic quotes of any kind verboten!) and should not spit odd stuff
in the output (displaydebug verboten!). Both are needed for WebDAV
support.

MOODLE_SANE_INPUT is tricky - it means that the codepaths _must_ use
$db->qstr() (or addslashes() - but that has its own problems).
This commit is contained in:
martinlanghoff 2008-02-27 02:51:49 +00:00
parent c336b0b023
commit 8f64ba0483
1 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

23
lib/setup.php
View file

@ -278,6 +278,14 @@ global $HTTPSPAGEREQUIRED;
} else { } else {
@ini_set('display_errors', '1'); @ini_set('display_errors', '1');
} }
// Even when users want to see errors in the output,
// some parts of Moodle cannot display them at all.
// (Once we are XHTML strict compliant, debugdisplay
// _must_ go away).
if (defined('MOODLE_SANE_OUTPUT')) {
@ini_set('display_errors', '0');
@ini_set('log_errors', '1');
}
/// Shared-Memory cache init -- will set $MCACHE /// Shared-Memory cache init -- will set $MCACHE
/// $MCACHE is a global object that offers at least add(), set() and delete() /// $MCACHE is a global object that offers at least add(), set() and delete()
@ -417,11 +425,15 @@ global $HTTPSPAGEREQUIRED;
$CFG->javascript = $CFG->libdir .'/javascript.php'; $CFG->javascript = $CFG->libdir .'/javascript.php';
$CFG->moddata = 'moddata'; $CFG->moddata = 'moddata';
// Alas, in some cases we cannot deal with magic_quotes.
if (defined('MOODLE_SANE_INPUT') && ini_get_bool('magic_quotes_gpc')) {
mdie("Facilities that require MOODLE_SANE_INPUT "
. "cannot work with magic_quotes_gpc. Please disable "
. "magic_quotes_gpc.");
}
/// A hack to get around magic_quotes_gpc being turned off /// A hack to get around magic_quotes_gpc being turned off
/// It is strongly recommended to enable "magic_quotes_gpc"! /// It is strongly recommended to enable "magic_quotes_gpc"!
if (!ini_get_bool('magic_quotes_gpc') && !defined('MOODLE_SANE_INPUT') ) {
if (!ini_get_bool('magic_quotes_gpc') ) {
function addslashes_deep($value) { function addslashes_deep($value) {
$value = is_array($value) ? $value = is_array($value) ?
array_map('addslashes_deep', $value) : array_map('addslashes_deep', $value) :
@ -457,13 +469,12 @@ global $HTTPSPAGEREQUIRED;
/// This hack is no longer being applied as of Moodle 1.6 unless you really /// This hack is no longer being applied as of Moodle 1.6 unless you really
/// really want to use it (by defining $CFG->enableglobalshack = true) /// really want to use it (by defining $CFG->enableglobalshack = true)
if (!empty($CFG->enableglobalshack)) { if (!empty($CFG->enableglobalshack) && !defined('MOODLE_SANE_INPUT')) {
if (!empty($CFG->detect_unchecked_vars)) { if (!empty($CFG->detect_unchecked_vars)) {
global $UNCHECKED_VARS; global $UNCHECKED_VARS;
$UNCHECKED_VARS->url = $_SERVER['PHP_SELF']; $UNCHECKED_VARS->url = $_SERVER['PHP_SELF'];
$UNCHECKED_VARS->vars = array(); $UNCHECKED_VARS->vars = array();
} }
if (isset($_GET)) { if (isset($_GET)) {
extract($_GET, EXTR_SKIP); // Skip existing variables, ie CFG extract($_GET, EXTR_SKIP); // Skip existing variables, ie CFG
if (!empty($CFG->detect_unchecked_vars)) { if (!empty($CFG->detect_unchecked_vars)) {
@ -498,7 +509,7 @@ global $HTTPSPAGEREQUIRED;
//discard session ID from POST, GET and globals to tighten security, //discard session ID from POST, GET and globals to tighten security,
//this session fixation prevention can not be used in cookieless mode //this session fixation prevention can not be used in cookieless mode
if (empty($CFG->usesid)) { if (empty($CFG->usesid) && !defined('MOODLE_SANE_INPUT')) {
unset(${'MoodleSession'.$CFG->sessioncookie}); unset(${'MoodleSession'.$CFG->sessioncookie});
unset($_GET['MoodleSession'.$CFG->sessioncookie]); unset($_GET['MoodleSession'.$CFG->sessioncookie]);
unset($_POST['MoodleSession'.$CFG->sessioncookie]); unset($_POST['MoodleSession'.$CFG->sessioncookie]);