[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  // This file is part of Moodle - http://moodle.org/
   4  //
   5  // Moodle is free software: you can redistribute it and/or modify
   6  // it under the terms of the GNU General Public License as published by
   7  // the Free Software Foundation, either version 3 of the License, or
   8  // (at your option) any later version.
   9  //
  10  // Moodle is distributed in the hope that it will be useful,
  11  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13  // GNU General Public License for more details.
  14  //
  15  // You should have received a copy of the GNU General Public License
  16  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17  
  18  /**
  19   * Minimalistic library, usable even when no other moodle libs are loaded.
  20   *
  21   * The only library that gets loaded if you define ABORT_AFTER_CONFIG
  22   * before including main config.php. You can resume normal script operation
  23   * if you define ABORT_AFTER_CONFIG_CANCEL and require the setup.php
  24   *
  25   * @package   core
  26   * @copyright 2009 Petr Skoda (skodak)
  27   * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  28   */
  29  
  30  /**
  31   * Minimalistic parameter validation function.
  32   * Can not use optional param because moodlelib.php is not loaded yet
  33   * @param string $name
  34   * @param mixed $default
  35   * @param string $type
  36   * @return mixed
  37   */
  38  function min_optional_param($name, $default, $type) {
  39      if (isset($_GET[$name])) {
  40          $value = $_GET[$name];
  41  
  42      } else if (isset($_GET['amp;'.$name])) {
  43          // very, very, very ugly hack, unfortunately $OUTPUT->pix_url() is not used properly in javascript code :-(
  44          $value = $_GET['amp;'.$name];
  45  
  46      } else if (isset($_POST[$name])) {
  47          $value = $_POST[$name];
  48  
  49      } else {
  50          return $default;
  51      }
  52  
  53      return min_clean_param($value, $type);
  54  }
  55  
  56  /**
  57   * Minimalistic parameter cleaning function.
  58   *
  59   * Note: Can not use optional param because moodlelib.php is not loaded yet.
  60   *
  61   * @param string $value
  62   * @param string $type
  63   * @return mixed
  64   */
  65  function min_clean_param($value, $type) {
  66      switch($type) {
  67          case 'RAW':      $value = min_fix_utf8((string)$value);
  68                           break;
  69          case 'INT':      $value = (int)$value;
  70                           break;
  71          case 'SAFEDIR':  $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
  72                           break;
  73          case 'SAFEPATH': $value = preg_replace('/[^a-zA-Z0-9\/\._-]/', '', $value);
  74                           $value = preg_replace('/\.+/', '.', $value);
  75                           $value = preg_replace('#/+#', '/', $value);
  76                           break;
  77          default:         die("Coding error: incorrect parameter type specified ($type).");
  78      }
  79  
  80      return $value;
  81  }
  82  
  83  /**
  84   * Minimalistic UTF-8 sanitisation.
  85   *
  86   * Note: This duplicates fix_utf8() intentionally for now.
  87   *
  88   * @param string $value
  89   * @return string
  90   */
  91  function min_fix_utf8($value) {
  92      // Lower error reporting because glibc throws bogus notices.
  93      $olderror = error_reporting();
  94      if ($olderror & E_NOTICE) {
  95          error_reporting($olderror ^ E_NOTICE);
  96      }
  97  
  98      // No null bytes expected in our data, so let's remove it.
  99      $value = str_replace("\0", '', $value);
 100  
 101      static $buggyiconv = null;
 102      if ($buggyiconv === null) {
 103          $buggyiconv = (!function_exists('iconv') or iconv('UTF-8', 'UTF-8//IGNORE', '100'.chr(130).'€') !== '100€');
 104      }
 105  
 106      if ($buggyiconv) {
 107          if (function_exists('mb_convert_encoding')) {
 108              $subst = mb_substitute_character();
 109              mb_substitute_character('');
 110              $result = mb_convert_encoding($value, 'utf-8', 'utf-8');
 111              mb_substitute_character($subst);
 112  
 113          } else {
 114              // Warn admins on admin/index.php page.
 115              $result = $value;
 116          }
 117  
 118      } else {
 119          $result = iconv('UTF-8', 'UTF-8//IGNORE', $value);
 120      }
 121  
 122      if ($olderror & E_NOTICE) {
 123          error_reporting($olderror);
 124      }
 125  
 126      return $result;
 127  }
 128  
 129  /**
 130   * This method tries to enable output compression if possible.
 131   * This function must be called before any output or headers.
 132   *
 133   * (IE6 is not supported at all.)
 134   *
 135   * @return boolean, true if compression enabled
 136   */
 137  function min_enable_zlib_compression() {
 138  
 139      if (headers_sent()) {
 140          return false;
 141      }
 142  
 143      // zlib.output_compression is preferred over ob_gzhandler()
 144      if (!empty($_SERVER['HTTP_USER_AGENT']) and strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE 6') !== false) {
 145          ini_set('zlib.output_compression', 'Off');
 146          if (function_exists('apache_setenv')) {
 147              apache_setenv('no-gzip', 1);
 148          }
 149          return false;
 150      }
 151  
 152      ini_set('output_handler', '');
 153  
 154      /*
 155       * docs clearly say 'on' means enable and number means size of buffer,
 156       * but unfortunately some PHP version break when we set 'on' here.
 157       * 1 probably sets chunk size to 4096. our CSS and JS scripts are much bigger,
 158       * so let's try some bigger sizes.
 159       */
 160      ini_set('zlib.output_compression', 65536);
 161  
 162      return true;
 163  }
 164  
 165  /**
 166   * Returns the slashargument part of the URL.
 167   *
 168   * Note: ".php" is NOT allowed in slasharguments,
 169   *       it is intended for ASCII characters only.
 170   *
 171   * @param boolean $clean - Should we do cleaning on this path argument. If you set this
 172   *                         to false you MUST be very careful and do the cleaning manually.
 173   * @return string
 174   */
 175  function min_get_slash_argument($clean = true) {
 176      // Note: This code has to work in the same cases as normal get_file_argument(),
 177      //       but at the same time it may be simpler because we do not have to deal
 178      //       with encodings and other tricky stuff.
 179  
 180      $relativepath = '';
 181  
 182      if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) {
 183          // Server is using url rewriting, most probably IIS.
 184          // Always clean the result of this function as it may be used in unsafe calls to send_file.
 185          $relativepath = $_GET['file'];
 186          if ($clean) {
 187              $relativepath = min_clean_param($relativepath, 'SAFEPATH');
 188          }
 189  
 190          return $relativepath;
 191  
 192      } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) {
 193          if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') {
 194              $relativepath = urldecode($_SERVER['PATH_INFO']);
 195          }
 196  
 197      } else {
 198          if (isset($_SERVER['PATH_INFO'])) {
 199              $relativepath = $_SERVER['PATH_INFO'];
 200          }
 201      }
 202  
 203      $matches = null;
 204      if (preg_match('|^.+\.php(.*)$|i', $relativepath, $matches)) {
 205          $relativepath = $matches[1];
 206      }
 207  
 208      // Always clean the result of this function as it may be used in unsafe calls to send_file.
 209      if ($clean) {
 210          $relativepath = min_clean_param($relativepath, 'SAFEPATH');
 211      }
 212      return $relativepath;
 213  }