本文整理汇总了PHP中Security::check_abs_path方法的典型用法代码示例。如果您正苦于以下问题:PHP Security::check_abs_path方法的具体用法?PHP Security::check_abs_path怎么用?PHP Security::check_abs_path使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类Security
的用法示例。
在下文中一共展示了Security::check_abs_path方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的PHP代码示例。
示例1: classicAction
/**
* @param string $name
* @param Request $request
* @return Response
*/
public function classicAction($name, Request $request)
{
// get.
$_GET = $request->query->all();
// post.
$_POST = $request->request->all();
$rootDir = $this->get('kernel')->getRealRootDir();
//$_REQUEST = $request->request->all();
$mainPath = $rootDir . 'main/';
$fileToLoad = $mainPath . $name;
// Setting legacy values inside the container
/** @var Connection $dbConnection */
$dbConnection = $this->container->get('database_connection');
$em = $this->get('kernel')->getContainer()->get('doctrine.orm.entity_manager');
$database = new \Database($dbConnection, array());
$database->setConnection($dbConnection);
$database->setManager($em);
Container::$container = $this->container;
Container::$dataDir = $this->container->get('kernel')->getDataDir();
Container::$courseDir = $this->container->get('kernel')->getDataDir();
//Container::$configDir = $this->container->get('kernel')->getConfigDir();
$this->container->get('twig')->addGlobal('api_get_cidreq', api_get_cidreq());
//$breadcrumb = $this->container->get('chamilo_core.block.breadcrumb');
if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
// Files inside /main need this variables to be set
$is_allowed_in_course = api_is_allowed_in_course();
$is_courseAdmin = api_is_course_admin();
$is_platformAdmin = api_is_platform_admin();
$toolNameFromFile = basename(dirname($fileToLoad));
$charset = 'UTF-8';
// Default values
$_course = api_get_course_info();
$_user = api_get_user_info();
$debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false;
// Loading file
ob_start();
require_once $fileToLoad;
$out = ob_get_contents();
ob_end_clean();
// No browser cache when executing an exercise.
if ($name == 'exercice/exercise_submit.php') {
$responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate');
}
$js = isset($htmlHeadXtra) ? $htmlHeadXtra : array();
// $interbreadcrumb is loaded in the require_once file.
$interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null;
$template = Container::$legacyTemplate;
$defaultLayout = 'layout_one_col.html.twig';
if (!empty($template)) {
$defaultLayout = $template;
}
return $this->render('ChamiloCoreBundle::' . $defaultLayout, array('legacy_breadcrumb' => $interbreadcrumb, 'content' => $out, 'js' => $js));
} else {
// Found does not exist
throw new NotFoundHttpException();
}
}
示例2: api_get_path
$archive_path = api_get_path(SYS_ARCHIVE_PATH);
}
$archive_file = isset($_GET['archive']) ? $_GET['archive'] : null;
$archive_file = str_replace(array('..', '/', '\\'), '', $archive_file);
list($extension) = getextension($archive_file);
if (empty($extension) || !file_exists($archive_path . $archive_file)) {
exit;
}
$extension = strtolower($extension);
$content_type = '';
if (in_array($extension, array('xml', 'csv')) && (api_is_platform_admin(true) || api_is_drh())) {
$content_type = 'application/force-download';
} elseif ($extension == 'zip' && $_cid && (api_is_platform_admin(true) || $is_courseAdmin)) {
$content_type = 'application/force-download';
}
if (empty($content_type)) {
api_not_allowed(true);
}
if (Security::check_abs_path($archive_path . $archive_file, $archive_path)) {
header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: public');
header('Pragma: no-cache');
header('Content-Type: ' . $content_type);
header('Content-Length: ' . filesize($archive_path . $archive_file));
header('Content-Disposition: attachment; filename=' . $archive_file);
readfile($archive_path . $archive_file);
exit;
} else {
api_not_allowed(true);
}
示例3: api_is_allowed_to_edit
1 => Allow learners to delete their own publications = YES
+------------------+------------------------------+----------------------------+
|Can download work?| doc visible for all = 0 | doc visible for all = 1|
+------------------+------------------------------+----------------------------+
| visibility = 0 | editor only | editor only |
| | | |
+------------------+------------------------------+----------------------------+
| visibility = 1 | editor | editor |
| | + owner of the work | + any student |
+------------------+------------------------------+----------------------------+
(editor = teacher + admin + anybody with right api_is_allowed_to_edit)
*/
$work_is_visible = $item_info['visibility'] == 1 && $row['accepted'] == 1;
$doc_visible_for_all = $course_info['show_score'] == 1;
$is_editor = api_is_allowed_to_edit(true, true, true);
$student_is_owner_of_work = user_is_author($row['id'], $row['user_id']);
if ($is_editor || $student_is_owner_of_work || $doc_visible_for_all && $work_is_visible) {
$title = str_replace(' ', '_', $row['title']);
event_download($title);
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) {
DocumentManager::file_send_for_download($full_file_name, true, $title);
}
} else {
api_not_allowed();
}
}
} else {
api_not_allowed();
}
exit;
示例4: downloadAllDeletedDocument
/**
* @param array $courseInfo
* @param int $sessionId
*
* @return bool
*/
public static function downloadAllDeletedDocument($courseInfo, $sessionId)
{
// Zip library for creation of the zip file.
require api_get_path(LIBRARY_PATH) . 'pclzip/pclzip.lib.php';
$files = self::getDeletedDocuments($courseInfo, $sessionId);
if (empty($files)) {
return false;
}
$coursePath = api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/document';
// Creating a ZIP file.
$tempZipFile = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . ".zip";
$zip = new PclZip($tempZipFile);
foreach ($files as $file) {
$zip->add($coursePath . $file['path'], PCLZIP_OPT_REMOVE_PATH, $coursePath);
}
if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
DocumentManager::file_send_for_download($tempZipFile, true);
@unlink($tempZipFile);
exit;
}
}
示例5: error_log
//check if the document is in the database
if (!DocumentManager::get_document_id($_course, $_REQUEST['file'])) {
//file not found!
if ($debug > 0) {
error_log("404 " . $_REQUEST["file"]);
}
header("HTTP/1.0 404 Not Found");
$error404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">';
$error404 .= '<html><head>';
$error404 .= '<title>404 Not Found</title>';
$error404 .= '</head><body>';
$error404 .= '<h1>Not Found</h1>';
$error404 .= '<p>The requested URL was not found on this server.</p>';
$error404 .= '<hr>';
$error404 .= '</body></html>';
echo $error404;
exit;
}
$doc_url = str_replace('../', '', $_REQUEST['file']);
if ($debug > 0) {
error_log($doc_url);
}
$full_file_name = $coursePath . $doc_url;
if (Security::check_abs_path($full_file_name, $coursePath . '/')) {
DocumentManager::file_send_for_download($full_file_name, false);
}
exit;
}
}
}
}
示例6: api_not_allowed
if (isset($_SESSION['oLP'])) {
$obj = $_SESSION['oLP'];
} else {
api_not_allowed();
}
//If is visible for the current user
if (!learnpath::is_lp_visible_for_student($obj->get_id(), api_get_user_id())) {
api_not_allowed();
}
$doc_url = isset($_GET['doc_url']) ? $_GET['doc_url'] : null;
// Change the '&' that got rewritten to '///' by mod_rewrite back to '&'
$doc_url = str_replace('///', '&', $doc_url);
// Still a space present? it must be a '+' (that got replaced by mod_rewrite)
$doc_url = str_replace(' ', '+', $doc_url);
$doc_url = str_replace(array('../', '\\..', '\\0', '..\\'), array('', '', '', ''), $doc_url);
//echo $doc_url;
if (strpos($doc_url, '../') or strpos($doc_url, '/..')) {
$doc_url = '';
}
$sys_course_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/scorm';
//var_dump($sys_course_path);
if (is_dir($sys_course_path . $doc_url)) {
api_not_allowed();
}
if (Security::check_abs_path($sys_course_path . $doc_url, $sys_course_path . '/')) {
$full_file_name = $sys_course_path . $doc_url;
// Launch event
Event::event_download($doc_url);
DocumentManager::file_send_for_download($full_file_name);
}
exit;
示例7: installProfileSettings
/**
* Update settings based on installation profile defined in a JSON file
* @param string $installationProfile The name of the JSON file in main/install/profiles/ folder
* @return bool false on failure (no bad consequences anyway, just ignoring profile)
*/
function installProfileSettings($installationProfile = '')
{
if (empty($installationProfile)) {
return false;
}
$jsonPath = api_get_path(SYS_PATH) . 'main/install/profiles/' . $installationProfile . '.json';
// Make sure the path to the profile is not hacked
if (!Security::check_abs_path($jsonPath, api_get_path(SYS_PATH) . 'main/install/profiles/')) {
return false;
}
if (!is_file($jsonPath)) {
return false;
}
if (!is_readable($jsonPath)) {
return false;
}
if (!function_exists('json_decode')) {
// The php-json extension is not available. Ignore profile.
return false;
}
$json = file_get_contents($jsonPath);
$params = json_decode($json);
if ($params === false or $params === null) {
return false;
}
$settings = $params->params;
if (!empty($params->parent)) {
$res = installProfileSettings($params->parent);
}
foreach ($settings as $id => $param) {
$sql = "UPDATE settings_current\n SET selected_value = '" . $param->selected_value . "'\n WHERE variable = '" . $param->variable . "'";
if (!empty($param->subkey)) {
$sql .= " AND subkey='" . $param->subkey . "'";
}
Database::query($sql);
}
return true;
}
示例8: while
// the number of /.. into the url
while (substr($cwd, -3, 3) == '/..') {
// go to parent directory
$cwd = substr($cwd, 0, -3);
if (strlen($cwd) == 0) {
$cwd = '/';
}
$nParent++;
}
for (; $nParent > 0; $nParent--) {
$cwd = strrpos($cwd, '/') > -1 ? substr($cwd, 0, strrpos($cwd, '/')) : $cwd;
}
if (strlen($cwd) == 0) {
$cwd = '/';
}
if (Security::check_abs_path($cwd, api_get_path(SYS_PATH))) {
die;
}
if ($action == 'list') {
/*==== List files ====*/
if ($debug > 0) {
error_log("sending file list", 0);
}
// get files list
$files = DocumentManager::get_all_document_data($_course, $cwd, 0, NULL, false);
// adding download link to files
foreach ($files as $k => $f) {
if ($f['filetype'] == 'file') {
//$files[$k]['download'] = api_get_path(WEB_CODE_PATH)."/document/document.php?cidReq=$cidReq&action=download&id=".urlencode($f['path']);
$files[$k]['download'] = api_get_path(WEB_COURSE_PATH) . $cidReq . "/document" . $f['path'];
}
示例9: getJavascript
/**
* @param Application $app
* @param string $file
* @return BinaryFileResponse
*/
public function getJavascript(Application $app, $file)
{
$mainPath = $app['paths']['sys_root'] . 'main/inc/lib/javascript/';
$fileToLoad = $mainPath . $file;
if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
return $app->sendFile($fileToLoad);
}
}
示例10: del_dir
/**
* Delete a work-tool directory
* @param string Base "work" directory for this course as /var/www/chamilo/courses/ABCD/work/
* @param string The directory name as the bit after "work/", without trailing slash
* @return integer -1 on error
*/
function del_dir($id)
{
global $_course;
$id = intval($id);
$work_data = get_work_data_by_id($id);
if (empty($work_data)) {
return false;
}
$base_work_dir = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/work';
$work_data_url = $base_work_dir . $work_data['url'];
$check = Security::check_abs_path($work_data_url . '/', $base_work_dir . '/');
$table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
$course_id = api_get_course_int_id();
if (!empty($work_data['url'])) {
//Deleting all contents inside the folder
//@todo replace to parent_id
$sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND filetype = 'folder' AND id = {$id}";
$res = Database::query($sql);
$sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND parent_id = {$id}";
$res = Database::query($sql);
if ($check) {
require_once api_get_path(LIBRARY_PATH) . 'fileManage.lib.php';
$new_dir = $work_data_url . '_DELETED_' . $id;
if (api_get_setting('permanently_remove_deleted_files') == 'true') {
my_delete($work_data_url);
} else {
if (file_exists($work_data_url)) {
rename($work_data_url, $new_dir);
}
}
}
}
}
示例11: WriteFileCont
/**
* Writes the file contents into the given file path.
* @param string Urlencoded path
* @param string The file contents
* @return boolean True on success, false on security error
*/
function WriteFileCont($full_file_path, $content)
{
// Check if this is not an attack, trying to get into other directories or something like that.
global $_course;
if (Security::check_abs_path(dirname($full_file_path) . '/', api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/')) {
// Check if this is not an attack, trying to upload a php file or something like that.
if (basename($full_file_path) != Security::filter_filename(basename($full_file_path))) {
return false;
}
if (!($fp = fopen(urldecode($full_file_path), 'w'))) {
//die('Could not open Quiz input.');
}
fwrite($fp, $content);
fclose($fp);
return true;
}
return false;
}
示例12: substr
$doc_url = substr($doc_url, 0, $dul);
}
//create the path
$document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path();
//redirect
header('Location: ' . $document_explorer);
}
$tbl_forum_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT);
$tbl_forum_post = Database::get_course_table(TABLE_FORUM_POST);
$course_id = api_get_course_int_id();
$courseInfo = api_get_course_info_by_id($course_id);
// launch event
Event::event_download($doc_url);
$sql = 'SELECT thread_id, forum_id,filename
FROM ' . $tbl_forum_post . ' f
INNER JOIN ' . $tbl_forum_attachment . ' a
ON a.post_id=f.post_id
WHERE
f.c_id = ' . $course_id . ' AND
a.c_id = ' . $course_id . ' AND
path LIKE BINARY "' . $doc_url . '"';
$result = Database::query($sql);
$row = Database::fetch_array($result);
$forum_thread_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM_THREAD, $row['thread_id'], api_get_session_id());
$forum_forum_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM, $row['forum_id'], api_get_session_id());
if ($forum_thread_visibility == 1 && $forum_forum_visibility == 1) {
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/upload/forum/')) {
DocumentManager::file_send_for_download($full_file_name, true, $row['filename']);
}
}
exit;
示例13: Skill
$objSkill = new Skill();
$skill = $objSkill->get($skillId);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$params = array('name' => $_POST['name'], 'description' => $_POST['description'], 'criteria' => $_POST['criteria'], 'id' => $skillId);
if (isset($_FILES['image']) && $_FILES['image']['error'] == 0) {
$dirPermissions = api_get_permissions_for_new_directories();
$fileName = sha1($_POST['name']);
$badgePath = api_get_path(SYS_UPLOAD_PATH) . 'badges/';
$existsBadgesDirectory = is_dir($badgePath);
if (!$existsBadgesDirectory) {
$existsBadgesDirectory = api_create_protected_dir('badges', api_get_path(SYS_UPLOAD_PATH));
}
if ($existsBadgesDirectory) {
if (!empty($skill['icon'])) {
$iconFileAbsolutePath = $badgePath . $skill['icon'];
if (Security::check_abs_path($iconFileAbsolutePath, $badgePath)) {
unlink($badgePath . $skill['icon']);
}
}
$skillImagePath = sprintf("%s%s.png", $badgePath, $fileName);
$skillImage = new Image($_FILES['image']['tmp_name']);
$skillImage->send_image($skillImagePath, -1, 'png');
$skillThumbPath = sprintf("%s%s-small.png", $badgePath, $fileName);
$skillImageThumb = new Image($skillImagePath);
$skillImageThumb->resize(ICON_SIZE_BIG, ICON_SIZE_BIG);
$skillImageThumb->send_image($skillThumbPath);
$params['icon'] = sprintf("%s.png", $fileName);
} else {
Session::write('errorMessage', get_lang('UplUnableToSaveFile'));
}
}
示例14: api_protect_course_script
* but this code will hopefully be replaced soon by an Apache URL
* rewrite mechanism.
*
* @package chamilo.work
*/
//require_once '../inc/global.inc.php';
require_once 'work.lib.php';
// Course protection
api_protect_course_script(true);
$commentId = isset($_GET['comment_id']) ? intval($_GET['comment_id']) : null;
if (empty($commentId)) {
api_not_allowed(true);
}
$workData = getWorkComment($commentId);
$courseInfo = api_get_course_info();
if (!empty($workData)) {
if (empty($workData['file_path']) || isset($workData['file_path']) && !file_exists($workData['file_path'])) {
api_not_allowed(true);
}
$work = get_work_data_by_id($workData['work_id']);
protectWork($courseInfo, $work['parent_id']);
if (user_is_author($workData['work_id']) || $courseInfo['show_score'] == 0 && $work['active'] == 1 && $work['accepted'] == 1) {
if (Security::check_abs_path($workData['file_path'], api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) {
DocumentManager::file_send_for_download($workData['file_path'], true, $workData['file_name_to_show']);
}
} else {
api_not_allowed(true);
}
} else {
api_not_allowed(true);
}
示例15: api_get_course_id
// the session* didn't work, try it from the course (out of a
// session context)
$document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0);
}
// Check whether the document is in the database
if (empty($document_data)) {
api_not_allowed();
}
// Launch event
Event::event_download($document_data['url']);
// Check visibility of document and paths
if (!($is_allowed_to_edit || $group_member_with_upload_rights) && !DocumentManager::is_visible_by_id($document_id, $courseInfo, $sessionId, api_get_user_id())) {
api_not_allowed(true);
}
$full_file_name = $base_work_dir . $document_data['path'];
if (Security::check_abs_path($full_file_name, $base_work_dir . '/')) {
DocumentManager::file_send_for_download($full_file_name, true);
}
exit;
break;
case 'downloadfolder':
if (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin()) {
// Get the document data from the ID
$document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, $sessionId);
if ($sessionId != 0 && !$document_data) {
// If there is a session defined and asking for the
// document * from the session* didn't work, try it from the
// course (out of a session context)
$document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0);
}
//filter when I am into shared folder, I can download only my shared folder