function softSafeDereference($orig) { // read contents of a file from the data directory // sanitized to avoid trickery: only alphanumeric and .-_ and / allowed in filenames // if it contains any .. then it fails // pyboxlog("sd".$s); if (substr($orig, 0, 6) != "@file:") { return $orig; } $s = substr($orig, 6); // exclude .. and force only alphanumerics plus /._- if (strstr($s, "..") != FALSE) { return $orig; } if (preg_match('@^[a-zA-Z0-9/_.-]+$@', $s) == 0) { return $orig; } $fn = PDATADIR . trim($s); $co = @file_get_contents($fn); if ($co === FALSE) { return $orig; } //throw new PyboxException("Cannot find file " . $fn); if (getSoft($GLOBALS, 'pb_translation', NULL) != NULL) { $co = translateOf($co, $GLOBALS['pb_translation']); } return $co; }
function pyRecallHandler($options, $content) { if (!array_key_exists('slug', $options)) { return "[pyRecall error: no slug given]"; } global $wpdb; $problem = $wpdb->get_row($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "pb_problems WHERE slug = %s AND lang = %s", $options['slug'], 'en'), ARRAY_A); if ($problem == NULL) { return "[pyRecall error: slug " . $options['slug'] . " not found]"; } if (trim($content) == "") { $content = $problem['content']; } $mergedOptions = json_decode($problem['shortcodeArgs'], TRUE); if (array_key_exists('translate', $options)) { $GLOBALS['pb_translation'] = $options['translate']; foreach ($mergedOptions as $key => $value) { $mergedOptions[$key] = translateOf($mergedOptions[$key], $options['translate']); } } foreach ($options as $o => $v) { $mergedOptions[$o] = $v; } $result = NULL; if ($problem['type'] == "code") { $result = pyBoxHandler($mergedOptions, $content); } if ($problem['type'] == "scramble") { $result = pyBoxHandler($mergedOptions, $content); } if ($problem['type'] == "short answer") { $result = pyShortHandler($mergedOptions, $content); } if ($problem['type'] == "multiple choice") { $result = pyMultiHandler($mergedOptions, $content); } if ($problem['type'] == "multichoice scramble") { $result = pyMultiScrambleHandler($mergedOptions, $content); } $GLOBALS['pb_translation'] = NULL; if ($result == NULL) { return "[pyRecall error: unknown type " . $problem['type'] . "]"; } return $result; }