Skip to content

Commit

Permalink
Use "clean_up_files_in_zip" function before extracting content
Browse files Browse the repository at this point in the history 
Blocks php/htaccess files
  • Loading branch information
@jmontoyaa
jmontoyaa committed Feb 26, 2019
1 parent 4a72b55 commit c245b03
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 132 deletions.
65 changes: 4 additions & 61 deletions main/lp/aicc.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -577,68 +577,11 @@ public function import_package($zip_file_info, $current_dir = '')
if ($this->debug >= 1) {
error_log('New LP - Changing dir to '.$course_sys_dir.$new_dir, 0);
}
$saved_dir = getcwd();
chdir($course_sys_dir.$new_dir);
$unzippingState = $zipFile->extract();
for ($j = 0; $j < count($unzippingState); $j++) {
$state = $unzippingState[$j];

// TODO: Fix relative links in html files (?)
$extension = strrchr($state["stored_filename"], '.');
//if ($this->debug > 1) { error_log('New LP - found extension '.$extension.' in '.$state['stored_filename'], 0); }
}

if (!empty($new_dir)) {
$new_dir = $new_dir.'/';
}
// Rename files, for example with \\ in it.
if ($dir = @opendir($course_sys_dir.$new_dir)) {
if ($this->debug == 1) {
error_log('New LP - Opened dir '.$course_sys_dir.$new_dir, 0);
}
while ($file = readdir($dir)) {
if ($file != '.' && $file != '..') {
$filetype = 'file';

if (is_dir($course_sys_dir.$new_dir.$file)) {
$filetype = 'folder';
}

// TODO: RENAMING FILES CAN BE VERY DANGEROUS AICC-WISE, avoid that as much as possible!
//$safe_file = api_replace_dangerous_char($file, 'strict');
$find_str = ['\\', '.php', '.phtml'];
$repl_str = ['/', '.txt', '.txt'];
$safe_file = str_replace($find_str, $repl_str, $file);

if ($safe_file != $file) {
//@rename($course_sys_dir.$new_dir, $course_sys_dir.'/'.$safe_file);
$mydir = dirname($course_sys_dir.$new_dir.$safe_file);
if (!is_dir($mydir)) {
$mysubdirs = split('/', $mydir);
$mybasedir = '/';
foreach ($mysubdirs as $mysubdir) {
if (!empty($mysubdir)) {
$mybasedir = $mybasedir.$mysubdir.'/';
if (!is_dir($mybasedir)) {
@mkdir($mybasedir, api_get_permissions_for_new_directories());
if ($this->debug == 1) {
error_log('New LP - Dir '.$mybasedir.' doesnt exist. Creating.');
}
}
}
}
}
@rename($course_sys_dir.$new_dir.$file, $course_sys_dir.$new_dir.$safe_file);
if ($this->debug == 1) {
error_log('New LP - Renaming '.$course_sys_dir.$new_dir.$file.' to '.$course_sys_dir.$new_dir.$safe_file);
}
}
}
}

closedir($dir);
chdir($saved_dir);
}
$zipFile->extract(
PCLZIP_CB_PRE_EXTRACT,
'clean_up_files_in_zip'
);
} else {
return '';
}
Expand Down
77 changes: 7 additions & 70 deletions main/lp/scorm.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -742,81 +742,18 @@ public function import_package(
if ($this->debug >= 1) {
error_log('New LP - Changing dir to '.$courseSysDir.$newDir);
}
$savedDir = getcwd();

chdir($courseSysDir.$newDir);
$unzippingState = $zipFile->extract();

for ($j = 0; $j < count($unzippingState); $j++) {
$state = $unzippingState[$j];
// TODO: Fix relative links in html files (?)
$extension = strrchr($state['stored_filename'], '.');
if ($this->debug >= 1) {
error_log('New LP - found extension '.$extension.' in '.$state['stored_filename']);
}
}

$zipFile->extract(
PCLZIP_CB_PRE_EXTRACT,
'clean_up_files_in_zip'
);

if (!empty($newDir)) {
$newDir = $newDir.'/';
}

// Rename files, for example with \\ in it.
if ($this->debug >= 1) {
error_log('New LP - try to open: '.$courseSysDir.$newDir);
}

if ($dir = @opendir($courseSysDir.$newDir)) {
if ($this->debug >= 1) {
error_log('New LP - Opened dir '.$courseSysDir.$newDir);
}
while ($file = readdir($dir)) {
if ($file != '.' && $file != '..') {
// TODO: RENAMING FILES CAN BE VERY DANGEROUS SCORM-WISE, avoid that as much as possible!
//$safeFile = api_replace_dangerous_char($file, 'strict');
$findStr = ['\\', '.php', '.phtml'];
$replStr = ['/', '.txt', '.txt'];
$safeFile = str_replace($findStr, $replStr, $file);

if ($this->debug >= 1) {
error_log('Comparing: '.$safeFile);
error_log('and: '.$file);
}

if ($safeFile != $file) {
$mydir = dirname($courseSysDir.$newDir.$safeFile);
if (!is_dir($mydir)) {
$mysubdirs = explode('/', $mydir);
$mybasedir = '/';
foreach ($mysubdirs as $mysubdir) {
if (!empty($mysubdir)) {
$mybasedir = $mybasedir.$mysubdir.'/';
if (!is_dir($mybasedir)) {
@mkdir($mybasedir, api_get_permissions_for_new_directories());
if ($this->debug >= 1) {
error_log('New LP - Dir '.$mybasedir.' doesnt exist. Creating.');
}
}
}
}
}
@rename($courseSysDir.$newDir.$file, $courseSysDir.$newDir.$safeFile);
if ($this->debug >= 1) {
error_log(
'New LP - Renaming '.$courseSysDir.$newDir.$file.' to '.$courseSysDir.$newDir
.$safeFile
);
}
}
}
}

closedir($dir);
chdir($savedDir);

api_chmod_R($courseSysDir.$newDir, api_get_permissions_for_new_directories());
if ($this->debug > 1) {
error_log('New LP - changed back to init dir: '.$courseSysDir.$newDir);
}
}
api_chmod_R($courseSysDir.$newDir, api_get_permissions_for_new_directories());
} else {
return false;
}
Expand Down
8 changes: 7 additions & 1 deletion src/Chamilo/CourseBundle/Component/CourseCopy/CourseArchiver.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,13 @@ public static function readCourse($filename, $delete = false)
// unzip the archive
$zip = new \PclZip($unzip_dir.'/backup.zip');
@chdir($unzip_dir);
$zip->extract(PCLZIP_OPT_TEMP_FILE_ON);

$zip->extract(
PCLZIP_OPT_TEMP_FILE_ON,
PCLZIP_CB_PRE_EXTRACT,
'clean_up_files_in_zip'
);

// remove the archive-file
if ($delete) {
@unlink($filePath);
Expand Down

0 comments on commit c245b03

Please sign in to comment.