コード例 #1
0
ファイル: receiver.php プロジェクト: omaoibrahim/chamilo-lms
}
//clean
$nano_user_id = Security::remove_XSS($_GET['nano_user_id']);
$nano_group_id = Security::remove_XSS($_GET['nano_group_id']);
$nano_session_id = Security::remove_XSS($_GET['nano_session_id']);
$filename = Security::remove_XSS($_GET['filename']);
$filename = urldecode($filename);
$filepath = Security::remove_XSS(urldecode($_GET['filepath']));
$dir = Security::remove_XSS(urldecode($_GET['dir']));
$course_code = Security::remove_XSS(urldecode($_GET['course_code']));
$_course = api_get_course_info($course_code);
$filename = trim($_GET['filename']);
$filename = Security::remove_XSS($filename);
$filename = Database::escape_string($filename);
$filename = api_replace_dangerous_char($filename);
$filename = disable_dangerous_file($filename);
$title = trim(str_replace('_chnano_.', '.', $filename));
//hide nanogong wav tag at title
$title = str_replace('_', ' ', $title);
$documentPath = $filepath . $filename;
if ($nano_user_id != api_get_user_id() || api_get_user_id() == 0 || $nano_user_id == 0) {
    echo 'Not allowed';
    exit;
}
// Do not use here check Fileinfo method because return: text/plain
if (!file_exists($documentPath)) {
    //add document to disk
    move_uploaded_file($_FILES['voicefile']['tmp_name'], $documentPath);
    //add document to database
    $current_session_id = $nano_session_id;
    $groupId = $nano_group_id;
コード例 #2
0
ファイル: document.php プロジェクト: omaoibrahim/chamilo-lms
     } else {
         // dir_id is the parent folder id.
         if (!empty($_POST['dir_id'])) {
             // Get the document data from the ID
             $document_data = DocumentManager::get_document_data_by_id($_POST['dir_id'], api_get_course_id(), false, $sessionId);
             if ($sessionId != 0 && !$document_data) {
                 // If there is a session defined and asking for the
                 // document * from the session* didn't work, try it from
                 // the course (out of a session context)
                 $document_data = DocumentManager::get_document_data_by_id($_POST['dir_id'], api_get_course_id(), false, 0);
             }
             $curdirpath = $document_data['path'];
         }
         $added_slash = $curdirpath == '/' ? '' : '/';
         $dir_name = $curdirpath . $added_slash . api_replace_dangerous_char($post_dir_name);
         $dir_name = disable_dangerous_file($dir_name);
         $dir_check = $base_work_dir . $dir_name;
         $visibility = empty($groupId) ? null : 1;
         $newFolderData = create_unexisting_directory($courseInfo, api_get_user_id(), $sessionId, $groupId, $to_user_id, $base_work_dir, $dir_name, $post_dir_name, $visibility);
         if (!empty($newFolderData)) {
             $message = Display::return_message(get_lang('DirCr') . ' ' . $newFolderData['title'], 'confirmation');
         } else {
             $message = Display::return_message(get_lang('CannotCreateDir'), 'error');
         }
     }
     Display::addFlash($message);
 }
 // Show them the form for the directory name
 if (isset($_GET['createdir'])) {
     $dirForm = DocumentManager::create_dir_form($document_id);
 }
コード例 #3
0
ファイル: work.php プロジェクト: ilosada/chamilo-lms-icpna
 $form->addElement('checkbox', 'type1', null, get_lang('EnableExpiryDate'), array('id' => 'make_calification_id', 'onclick' => "javascript: if(this.checked){document.getElementById('option2').style.display='block';}else{document.getElementById('option2').style.display='none';}"));
 $form->addElement('html', '<div id="option2" style="display: none;">');
 $form->addElement('advanced_settings', draw_date_picker('expires'));
 $form->addElement('html', '</div>');
 $form->addElement('checkbox', 'type2', null, get_lang('EnableEndDate'), array('id' => 'make_calification_id', 'onclick' => "javascript: if(this.checked){document.getElementById('option3').style.display='block';}else{document.getElementById('option3').style.display='none';}"));
 $form->addElement('html', '<div id="option3" style="display: none;">');
 $form->addElement('advanced_settings', draw_date_picker('ends'));
 $form->addElement('html', '</div>');
 $form->addElement('checkbox', 'add_to_calendar', null, get_lang('AddToCalendar'));
 $form->addElement('checkbox', 'allow_text_assignment', null, get_lang('AllowTextAssignments'));
 $form->addElement('html', '</div>');
 $form->addElement('style_submit_button', 'submit', get_lang('CreateDirectory'));
 if ($form->validate()) {
     $directory = Security::remove_XSS($_POST['new_dir']);
     $directory = replace_dangerous_char($directory);
     $directory = disable_dangerous_file($directory);
     $dir_name = $curdirpath . $directory;
     $created_dir = create_unexisting_work_directory($base_work_dir, $dir_name);
     // we insert here the directory in the table $work_table
     $dir_name_sql = '';
     if (!empty($created_dir)) {
         if ($curdirpath == '/') {
             $dir_name_sql = $created_dir;
         } else {
             $dir_name_sql = '/' . $created_dir;
         }
         $time = time();
         $today = api_get_utc_datetime($time);
         $sql_add_publication = "INSERT INTO " . $work_table . " SET\n                                            c_id\t\t\t\t= {$course_id},\n                                            url         \t\t= '" . Database::escape_string($dir_name_sql) . "',\n                                            title               = '" . Database::escape_string($_POST['new_dir']) . "',\n                                            description \t\t= '" . Database::escape_string($_POST['description']) . "',\n                                            author      \t\t= '',\n                                            active              = '1',\n                                            accepted\t\t\t= '1',\n                                            filetype            = 'folder',\n                                            post_group_id       = '" . $group_id . "',\n                                            sent_date           = '" . $today . "',\n                                            qualification       = '" . ($_POST['qualification_value'] != '' ? Database::escape_string($_POST['qualification_value']) : '') . "',\n                                            parent_id           = '',\n                                            qualificator_id     = '',\n                                            date_of_qualification\t= '0000-00-00 00:00:00',\n                                            weight              = '" . Database::escape_string($_POST['weight']) . "',\n                                            session_id          = '" . intval($id_session) . "',\n                                            allow_text_assignment = '" . Database::escape_string($_POST['allow_text_assignment']) . "',\n                                            contains_file       = 0,\n                                            user_id \t\t\t= '" . $user_id . "'";
         Database::query($sql_add_publication);
         // add the directory
コード例 #4
0
/**
 * Check if a document width the chosen filename already exists
 */
function document_exists($filename)
{
    global $dir;
    $cleanName = api_replace_dangerous_char($filename);
    // No "dangerous" files
    $cleanName = disable_dangerous_file($cleanName);
    return !DocumentManager::documentExists($dir . $cleanName . '.html', api_get_course_info(), api_get_session_id(), api_get_group_id());
}
コード例 #5
0
ファイル: profile.php プロジェクト: jloguercio/chamilo-lms
/**
 * Upload a submitted user production.
 *
 * @param    $user_id    User id
 * @return    The filename of the new production or FALSE if the upload has failed
 */
function upload_user_production($user_id)
{
    $production_repository = UserManager::getUserPathById($user_id, 'system');
    if (!file_exists($production_repository)) {
        @mkdir($production_repository, api_get_permissions_for_new_directories(), true);
    }
    $filename = api_replace_dangerous_char($_FILES['production']['name']);
    $filename = disable_dangerous_file($filename);
    if (filter_extension($filename)) {
        if (@move_uploaded_file($_FILES['production']['tmp_name'], $production_repository . $filename)) {
            return $filename;
        }
    }
    return false;
    // this should be returned if anything went wrong with the upload
}
コード例 #6
0
/**
 * Check if a document width the chosen filename already exists
 */
function document_exists($filename)
{
    global $dir;
    // Clean up the name, only ASCII characters should stay. (and strict)
    $cleanName = replace_dangerous_char($filename, 'strict');
    // No "dangerous" files
    $cleanName = disable_dangerous_file($cleanName);
    return !DocumentManager::documentExists($dir . $cleanName . '.html', api_get_course_info(), api_get_session_id(), api_get_group_id());
    /*$filename = addslashes(trim($filename));
    	$filename = Security::remove_XSS($filename);
    	$filename = replace_dangerous_char($filename);
    	$filename = disable_dangerous_file($filename);
    	return !file_exists($filepath.$filename.'.html');*/
}
コード例 #7
0
/**
	This function changes the name of a certain file.
	It needs no global variables, it takes all info from parameters.
	It returns nothing.
    @todo check if this function is used
*/
function change_name($base_work_dir, $source_file, $rename_to, $dir, $doc)
{
    $file_name_for_change = $base_work_dir . $dir . $source_file;
    //api_display_debug_info("call my_rename: params $file_name_for_change, $rename_to");
    $rename_to = disable_dangerous_file($rename_to);
    // Avoid renaming to .htaccess file
    $rename_to = my_rename($file_name_for_change, stripslashes($rename_to));
    // fileManage API
    if ($rename_to) {
        if (isset($dir) && $dir != '') {
            $source_file = $dir . $source_file;
            $new_full_file_name = dirname($source_file) . '/' . $rename_to;
        } else {
            $source_file = '/' . $source_file;
            $new_full_file_name = '/' . $rename_to;
        }
        update_db_info('update', $source_file, $new_full_file_name);
        // fileManage API
        $name_changed = get_lang('ElRen');
        $info_message = get_lang('fileModified');
        $GLOBALS['file_name'] = $rename_to;
        $GLOBALS['doc'] = $rename_to;
        return $info_message;
    } else {
        $dialogBox = get_lang('FileExists');
        // TODO: This variable is not used.
        /* Return to step 1 */
        $rename = $source_file;
        unset($source_file);
    }
}
コード例 #8
0
/**
	This function changes the name of a certain file.
	It needs no global variables, it takes all info from parameters.
	It returns nothing.
    @todo check if this function is used
*/
function change_name($base_work_dir, $source_file, $rename_to, $dir, $doc)
{
    $file_name_for_change = $base_work_dir . $dir . $source_file;
    $rename_to = disable_dangerous_file($rename_to);
    // Avoid renaming to .htaccess file
    $rename_to = my_rename($file_name_for_change, stripslashes($rename_to));
    // fileManage API
    if ($rename_to) {
        if (isset($dir) && $dir != '') {
            $source_file = $dir . $source_file;
            $new_full_file_name = dirname($source_file) . '/' . $rename_to;
        } else {
            $source_file = '/' . $source_file;
            $new_full_file_name = '/' . $rename_to;
        }
        update_db_info('update', $source_file, $new_full_file_name);
        // fileManage API
        Display::addFlash(Display::return_message(get_lang('fileModified')));
        return true;
    } else {
        Display::addFlash(Display::return_message(get_lang('FileExists')));
    }
}
コード例 #9
0
 }
 // Uploading the audio files.
 foreach ($_FILES as $key => $value) {
     if (substr($key, 0, 7) == 'mp3file' and !empty($_FILES[$key]['tmp_name'])) {
         // The id of the learning path item.
         $lp_item_id = str_ireplace('mp3file', '', $key);
         // Create the audio folder if it does not exist yet.
         DocumentManager::createDefaultAudioFolder($_course);
         // Check if file already exits into document/audio/
         $file_name = $_FILES[$key]['name'];
         $file_name = stripslashes($file_name);
         // Add extension to files without one (if possible).
         $file_name = add_ext_on_mime($file_name, $_FILES[$key]['type']);
         $clean_name = api_replace_dangerous_char($file_name);
         // No "dangerous" files.
         $clean_name = disable_dangerous_file($clean_name);
         $check_file_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/audio/' . $clean_name;
         // If the file exists we generate a new name.
         if (file_exists($check_file_path)) {
             $filename_components = explode('.', $clean_name);
             // Gettting the extension of the file.
             $file_extension = $filename_components[count($filename_components) - 1];
             // Adding something random to prevent overwriting.
             $filename_components[count($filename_components) - 1] = time();
             // Reconstructing the new filename.
             $clean_name = implode($filename_components) . '.' . $file_extension;
             // Using the new name in the $_FILES superglobal.
             $_FILES[$key]['name'] = $clean_name;
         }
         // Upload the file in the documents tool.
         $file_path = handle_uploaded_document($_course, $_FILES[$key], api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document', '/audio', api_get_user_id(), '', '', '', '', false);
コード例 #10
0
ファイル: work.lib.php プロジェクト: ragebat/chamilo-lms
/**
 * Update the url of a dir in the student_publication table
 * @param	string old path
 * @param	string new path
 */
function update_dir_name($work_data, $new_name, $title)
{
    $course_id = api_get_course_int_id();
    $work_id = intval($work_data['id']);
    $path = $work_data['url'];
    if ($work_data['title'] == $title) {
        return true;
    }
    $title = Database::escape_string($title);
    if (!empty($new_name)) {
        global $base_work_dir;
        $new_name = Security::remove_XSS($new_name);
        $new_name = replace_dangerous_char($new_name);
        $new_name = disable_dangerous_file($new_name);
        my_rename($base_work_dir . '/' . $path, $new_name);
        $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
        //update all the files in the other directories according with the next query
        $sql = "SELECT id, url FROM {$table} WHERE c_id = {$course_id} AND parent_id = {$work_id}";
        // like binary (Case Sensitive)
        $rs = Database::query($sql);
        $work_len = strlen('work/' . $path);
        while ($work = Database::fetch_array($rs)) {
            $new_dir = $work['url'];
            $name_with_directory = substr($new_dir, $work_len, strlen($new_dir));
            $name = Database::escape_string('work/' . $new_name . '/' . $name_with_directory);
            $sql = 'UPDATE ' . $table . ' SET url= "' . $name . '" WHERE c_id = ' . $course_id . ' AND id= ' . $work['id'];
            Database::query($sql);
        }
        $sql = "UPDATE {$table} SET url= '/" . $new_name . "' , title = '" . $title . "' WHERE c_id = {$course_id} AND id = {$work_id}";
        Database::query($sql);
    }
}
コード例 #11
0
 /**
  * Create a new document //still needs some finetuning
  * @param array $_course
  * @return string
  */
 public function create_document($_course)
 {
     $course_id = api_get_course_int_id();
     global $charset;
     $dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir'];
     // Please, do not modify this dirname formatting.
     if (strstr($dir, '..')) {
         $dir = '/';
     }
     if ($dir[0] == '.') {
         $dir = substr($dir, 1);
     }
     if ($dir[0] != '/') {
         $dir = '/' . $dir;
     }
     if ($dir[strlen($dir) - 1] != '/') {
         $dir .= '/';
     }
     $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document' . $dir;
     if (empty($_POST['dir']) && empty($_GET['dir'])) {
         //Generates folder
         $result = $this->generate_lp_folder($_course);
         $dir = $result['dir'];
         $filepath = $result['filepath'];
     }
     if (!is_dir($filepath)) {
         $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/';
         $dir = '/';
     }
     // stripslashes() before calling api_replace_dangerous_char() because $_POST['title']
     // is already escaped twice when it gets here.
     $title = api_replace_dangerous_char(stripslashes($_POST['title']));
     $title = disable_dangerous_file($title);
     $filename = $title;
     $content = $_POST['content_lp'];
     $tmp_filename = $filename;
     $i = 0;
     while (file_exists($filepath . $tmp_filename . '.html')) {
         $tmp_filename = $filename . '_' . ++$i;
     }
     $filename = $tmp_filename . '.html';
     $content = stripslashes($content);
     $content = str_replace(api_get_path(WEB_COURSE_PATH), api_get_path(REL_PATH) . 'courses/', $content);
     // Change the path of mp3 to absolute.
     // The first regexp deals with :// urls.
     $content = preg_replace("|(flashvars=\"file=)([^:/]+)/|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/', $content);
     // The second regexp deals with audio/ urls.
     $content = preg_replace("|(flashvars=\"file=)([^/]+)/|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/$2/', $content);
     // For flv player: To prevent edition problem with firefox, we have to use a strange tip (don't blame me please).
     $content = str_replace('</body>', '<style type="text/css">body{}</style></body>', $content);
     if (!file_exists($filepath . $filename)) {
         if ($fp = @fopen($filepath . $filename, 'w')) {
             fputs($fp, $content);
             fclose($fp);
             $file_size = filesize($filepath . $filename);
             $save_file_path = $dir . $filename;
             $document_id = add_document($_course, $save_file_path, 'file', $file_size, $tmp_filename);
             if ($document_id) {
                 api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentAdded', api_get_user_id(), null, null, null, null, api_get_session_id());
                 $new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
                 $new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
                 if ($new_comment || $new_title) {
                     $tbl_doc = Database::get_course_table(TABLE_DOCUMENT);
                     $ct = '';
                     if ($new_comment) {
                         $ct .= ", comment='" . Database::escape_string($new_comment) . "'";
                     }
                     if ($new_title) {
                         $ct .= ", title='" . Database::escape_string(htmlspecialchars($new_title, ENT_QUOTES, $charset)) . "' ";
                     }
                     $sql_update = "UPDATE " . $tbl_doc . " SET " . substr($ct, 1) . " WHERE c_id = " . $course_id . " AND id = " . $document_id;
                     Database::query($sql_update);
                 }
             }
             return $document_id;
         }
     }
 }
コード例 #12
0
 /**
  * move the uploaded file to a specific location
  *
  * @param string $dest  the path to the directory which the uploaded file will be moved to
  * @param string $fileBaseName the base name which the uploaded file will be renamed to
  * @param unknown_type $overwrite
  * @return unknown
  */
 function moveUploadedFile($dest, $fileBaseName = '', $overwrite = false)
 {
     //ensure the directory path ending with /
     if ($dest != '' && substr($dest, -1) != '/') {
         $dest .= '/';
     }
     $this->dirPath = $dest;
     $fileName = basename($this->_value['name']);
     $dotIndex = strrpos($fileName, '.');
     $this->fileExtension = '';
     if (is_int($dotIndex)) {
         $this->fileExtension = substr($fileName, $dotIndex);
         $this->fileBaseName = substr($fileName, 0, $dotIndex);
     }
     if (!empty($fileBaseName)) {
         $this->fileBaseName = $fileBaseName;
     }
     $this->fileBaseName = disable_dangerous_file(replace_dangerous_char(str_replace(' ', '_', $this->fileBaseName), 'strict'));
     // Juan Carlos Raña replace space by _ because fix long names. See: ajaxfilemanager/inc/class.manager.php. And add cleaning from Chamilo replace_dangerous_char() and disable_dangerous_file()
     $fileName = $this->fileBaseName . $this->fileExtension;
     $filePath = $dest . $fileName;
     if (!$overwrite && file_exists($filePath) && is_file($filePath)) {
         //rename
         $counter = 0;
         while (file_exists($dest . $fileName) && is_file($dest . $fileName)) {
             $counter++;
             $fileName = $this->fileBaseName . '_' . $counter . $this->fileExtension;
         }
         $this->fileBaseName .= "_" . $counter;
     }
     if (@move_uploaded_file($this->_value['tmp_name'], $dest . $fileName)) {
         @chmod($dest . $fileName, $this->uploadFileMode);
         $this->fileName = $fileName;
         $this->filePath = $dest . $fileName;
         return true;
     } else {
         return false;
     }
 }
コード例 #13
0
    $webcamdir = $params['webcamdir'];
    $webcamuserid = $params['webcamuserid'];
} else {
    api_not_allowed();
    die;
}
if ($webcamuserid != api_get_user_id() || api_get_user_id() == 0 || $webcamuserid == 0) {
    api_not_allowed();
    die;
}
//clean
$webcamname = Security::remove_XSS($webcamname);
$webcamname = Database::escape_string($webcamname);
$webcamname = addslashes(trim($webcamname));
$webcamname = api_replace_dangerous_char($webcamname);
$webcamname = disable_dangerous_file($webcamname);
$webcamdir = Security::remove_XSS($webcamdir);
//security extension
$ext = explode('.', $webcamname);
$ext = strtolower($ext[sizeof($ext) - 1]);
if ($ext != 'jpg') {
    die;
}
//Do not use here check Fileinfo method because return: text/plain                //CHECK THIS BEFORE COMMIT
$dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document';
$saveDir = $dirBaseDocuments . $webcamdir;
$current_session_id = api_get_session_id();
$groupId = api_get_group_id();
//Avoid duplicates
$webcamname_to_save = $webcamname;
$title_to_save = str_replace('_', ' ', $webcamname);
コード例 #14
0
ファイル: work.lib.php プロジェクト: omaoibrahim/chamilo-lms
/**
 * Creates a new task (directory) in the assignment tool
 * @param array $params
 * @param int $user_id
 * @param array $courseInfo
 * @param int $group_id
 * @param int $session_id
 * @return bool|int
 * @note $params can have the following elements, but should at least have the 2 first ones: (
 *       'new_dir' => 'some-name',
 *       'description' => 'some-desc',
 *       'qualification' => 20 (e.g. 20),
 *       'weight' => 50 (percentage) to add to gradebook (e.g. 50),
 *       'allow_text_assignment' => 0/1/2,
 * @todo Rename createAssignment or createWork, or something like that
 */
function addDir($formValues, $user_id, $courseInfo, $group_id, $session_id)
{
    $work_table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
    $user_id = intval($user_id);
    $group_id = intval($group_id);
    $session_id = intval($session_id);
    $base_work_dir = api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/work';
    $course_id = $courseInfo['real_id'];
    $directory = api_replace_dangerous_char($formValues['new_dir']);
    $directory = disable_dangerous_file($directory);
    $created_dir = create_unexisting_work_directory($base_work_dir, $directory);
    if (!empty($created_dir)) {
        $dirName = '/' . $created_dir;
        $today = api_get_utc_datetime();
        $params = ['c_id' => $course_id, 'url' => $dirName, 'title' => $formValues['new_dir'], 'description' => $formValues['description'], 'author' => '', 'active' => '1', 'accepted' => '1', 'filetype' => 'folder', 'post_group_id' => $group_id, 'sent_date' => $today, 'qualification' => $formValues['qualification'] != '' ? $formValues['qualification'] : '', 'parent_id' => '', 'qualificator_id' => '', 'weight' => $formValues['weight'], 'session_id' => $session_id, 'allow_text_assignment' => $formValues['allow_text_assignment'], 'contains_file' => 0, 'user_id' => $user_id];
        $id = Database::insert($work_table, $params);
        if ($id) {
            $sql = "UPDATE {$work_table} SET id = iid WHERE iid = {$id}";
            Database::query($sql);
            // Folder created
            api_item_property_update($courseInfo, 'work', $id, 'DirectoryCreated', $user_id, $group_id);
            updatePublicationAssignment($id, $formValues, $courseInfo, $group_id);
            if (api_get_course_setting('email_alert_students_on_new_homework') == 1) {
                send_email_on_homework_creation($course_id, $session_id, $id);
            }
            return $id;
        }
    }
    return false;
}
コード例 #15
0
ファイル: security.lib.php プロジェクト: KRCM13/chamilo-lms
 /**
  * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in
  * a non-executable form (for PHP and htaccess, this is still vulnerable to
  * other languages' files extensions)
  * @param   string  Unfiltered filename
  * @param   string  Filtered filename
  * @return string
  */
 public static function filter_filename($filename)
 {
     return disable_dangerous_file($filename);
 }
コード例 #16
0
ファイル: work.lib.php プロジェクト: annickvdp/Chamilo1.9.10
/**
 * Creates a new task (directory) in the assignment tool
 * @param array $params
 * @param int $user_id
 * @param array $courseInfo
 * @param int $group_id
 * @param int $session_id
 * @return bool|int
 * @note $params can have the following elements, but should at least have the 2 first ones: (
 *       'new_dir' => 'some-name',
 *       'description' => 'some-desc',
 *       'qualification' => 20 (e.g. 20),
 *       'weight' => 50 (percentage) to add to gradebook (e.g. 50),
 *       'allow_text_assignment' => 0/1/2,
 * @todo Rename createAssignment or createWork, or something like that
 */
function addDir($params, $user_id, $courseInfo, $group_id, $session_id)
{
    $work_table = Database :: get_course_table(TABLE_STUDENT_PUBLICATION);

    $user_id = intval($user_id);
    $group_id = intval($group_id);
    $session_id = intval($session_id);

    $base_work_dir = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work';
    $course_id = $courseInfo['real_id'];

    $directory = replace_dangerous_char($params['new_dir']);
    $directory = disable_dangerous_file($directory);
    $created_dir = create_unexisting_work_directory($base_work_dir, $directory);

    if (!empty($created_dir)) {
        $dirName = '/'.$created_dir;
        $today = api_get_utc_datetime();
        $sql = "INSERT INTO " . $work_table . " SET
                c_id                = $course_id,
                url                 = '".Database::escape_string($dirName)."',
                title               = '".Database::escape_string($params['new_dir'])."',
                description         = '".Database::escape_string($params['description'])."',
                author              = '',
                active              = '1',
                accepted            = '1',
                filetype            = 'folder',
                post_group_id       = '".$group_id."',
                sent_date           = '".$today."',
                qualification       = '".(($params['qualification'] != '') ? Database::escape_string($params['qualification']) : '') ."',
                parent_id           = '',
                qualificator_id     = '',
                date_of_qualification   = '0000-00-00 00:00:00',
                weight              = '".Database::escape_string($params['weight'])."',
                session_id          = '".$session_id."',
                allow_text_assignment = '".Database::escape_string($params['allow_text_assignment'])."',
                contains_file       = 0,
                user_id             = '".$user_id."'";

        Database::query($sql);

        // Add the directory
        $id = Database::insert_id();

        if ($id) {
            // Folder created
            api_item_property_update(
                $courseInfo,
                'work',
                $id,
                'DirectoryCreated',
                $user_id,
                $group_id
            );
            updatePublicationAssignment($id, $params, $courseInfo, $group_id);

            if (api_get_course_setting('email_alert_students_on_new_homework') == 1) {
                send_email_on_homework_creation(api_get_course_id());
            }
            return $id;
        }
    }
    return false;
}
コード例 #17
0
    $wamiuserid = $params['wamiuserid'];
} else {
    api_not_allowed();
    die();
}

if ($wamiuserid != api_get_user_id() || api_get_user_id() == 0 || $wamiuserid == 0) {
    api_not_allowed();
    die();
}

// Clean
$waminame = Security::remove_XSS($waminame);
$waminame = Database::escape_string($waminame);
$waminame = replace_dangerous_char($waminame, 'strict');
$waminame = disable_dangerous_file($waminame);
$wamidir  = Security::remove_XSS($wamidir);
$content = file_get_contents('php://input');

if (empty($content)) {
    exit;
}

$ext = explode('.', $waminame);
$ext = strtolower($ext[sizeof($ext) - 1]);

if ($ext != 'wav') {
    die();
}

// Do not use here check Fileinfo method because return: text/plain
コード例 #18
0
ファイル: fileUpload.lib.php プロジェクト: daffef/chamilo-lms
/**
 * This function cleans up a given path
 * by eliminating dangerous file names and cleaning them
 *
 * @param string $path
 * @return $path
 * @see disable_dangerous_file()
 * @see api_replace_dangerous_char()
 */
function clean_up_path(&$path)
{
    // Split the path in folders and files
    $path_array = explode('/', $path);
    // Clean up every foler and filename in the path
    foreach ($path_array as $key => &$val) {
        // We don't want to lose the dots in ././folder/file (cfr. zipfile)
        if ($val != '.') {
            $val = disable_dangerous_file(api_replace_dangerous_char($val));
        }
    }
    // Join the "cleaned" path (modified in-place as passed by reference)
    $path = implode('/', $path_array);
    $res = filter_extension($path);
    return $res;
}
コード例 #19
0
ファイル: learnpath.class.php プロジェクト: Eidn/shanghai
 /**
  * Create a new document //still needs some finetuning
  *
  * @param array $_course
  * @return string
  */
 function create_document($_course)
 {
     global $charset;
     $dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir'];
     // please do not modify this dirname formatting
     if (strstr($dir, '..')) {
         $dir = '/';
     }
     if ($dir[0] == '.') {
         $dir = substr($dir, 1);
     }
     if ($dir[0] != '/') {
         $dir = '/' . $dir;
     }
     if ($dir[strlen($dir) - 1] != '/') {
         $dir .= '/';
     }
     $filepath = api_get_path('SYS_COURSE_PATH') . $_course['path'] . '/document' . $dir;
     if (!is_dir($filepath)) {
         $filepath = api_get_path('SYS_COURSE_PATH') . $_course['path'] . '/document/';
         $dir = '/';
     }
     //stripslashes before calling replace_dangerous_char() because $_POST['title']
     //is already escaped twice when it gets here
     $tmp_title = stripslashes($_POST['title']);
     $title = replace_dangerous_char(stripslashes($_POST['title']));
     $title = disable_dangerous_file($title);
     $filename = $title;
     $content = $_POST['content_lp'];
     $tmp_filename = $filename;
     $i = 0;
     while (file_exists($filepath . $tmp_filename . '.html')) {
         $tmp_filename = $filename . '_' . ++$i;
     }
     $filename = $tmp_filename . '.html';
     $content = stripslashes(text_filter($content));
     $content = str_replace(api_get_path('WEB_COURSE_PATH'), api_get_path(REL_PATH) . 'courses/', $content);
     // change the path of mp3 to absolute
     // first regexp deals with ../../../ urls
     $content = preg_replace("|(flashvars=\"file=)(\\.+/)+|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/', $content);
     //second regexp deals with audio/ urls
     $content = preg_replace("|(flashvars=\"file=)([^/]+)/|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/$2/', $content);
     // for flv player : to prevent edition problem with firefox, we have to use a strange tip (don't blame me please)
     $content = str_replace('</body>', '<style type="text/css">body{}</style></body>', $content);
     if (!file_exists($filepath . $filename)) {
         if ($fp = @fopen($filepath . $filename, 'w')) {
             fputs($fp, $content);
             fclose($fp);
             $file_size = filesize($filepath . $filename);
             $save_file_path = $dir . $filename;
             $document_id = add_document($_course, $save_file_path, 'file', $file_size, $tmp_title . '.html');
             if ($document_id) {
                 api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentAdded', api_get_user_id(), null, null, null, null, api_get_session_id());
                 //update parent folders
                 //item_property_update_on_folder($_course, $_GET['dir'], $_user['user_id']);
                 $new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
                 $new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
                 if ($new_comment || $new_title) {
                     $tbl_doc = Database::get_course_table(TABLE_DOCUMENT);
                     $ct = '';
                     if ($new_comment) {
                         $ct .= ", comment='" . $new_comment . "'";
                     }
                     if ($new_title) {
                         $ct .= ", title='" . Database::escape_string(htmlspecialchars($new_title, ENT_QUOTES, $charset)) . ".html\t'";
                     }
                     $sql_update = "\n\t\t\t\t\t\t\t\t\t\t\t\t\tUPDATE " . $tbl_doc . "\n\t\t\t\t\t\t\t\t\t\t\t\t\tSET " . substr($ct, 1) . "\n\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE id = " . $document_id;
                     Database::query($sql_update, __FILE__, __LINE__);
                 }
             }
             return $document_id;
         }
     }
 }
コード例 #20
0
 /**
  * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in
  * a non-executable form (for PHP and htaccess, this is still vulnerable to
  * other languages' files extensions)
  * @param   string  Unfiltered filename
  * @param   string  Filtered filename
  * @return string
  */
 public static function filter_filename($filename)
 {
     require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
     return disable_dangerous_file($filename);
 }