MDL-75237 qformat_blackboard_six: sanitise blackboard import file paths

mpetrowi · Aug 12, 2022 · 2f70b32 · 2f70b32
1 parent 5ed64ce
commit 2f70b32
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/question/format/blackboard_six/format.php b/question/format/blackboard_six/format.php
@@ -65,7 +65,7 @@ class qformat_blackboard_six extends qformat_blackboard_six_base {
      * @return mixed contents array or false on failure
      */
     public function get_filecontent($path) {
-        $fullpath = $this->tempdir . '/' . $path;
+        $fullpath = $this->tempdir . '/' . clean_param($path, PARAM_PATH);
         if (is_file($fullpath) && is_readable($fullpath)) {
             return file_get_contents($fullpath);
         }
@@ -152,7 +152,7 @@ public function readdata($filename) {
                     }
                     if ($examfile->getAttribute('type') == 'assessment/x-bb-pool') {
                         if ($examfile->getAttribute('baseurl')) {
-                            $fileobj->filebase = $this->tempdir. '/' . $examfile->getAttribute('baseurl');
+                            $fileobj->filebase = $this->tempdir. '/' . clean_param($examfile->getAttribute('baseurl'), PARAM_PATH);
                         }
                         if ($content = $this->get_filecontent($examfile->getAttribute('file'))) {
                             $fileobj->filetype = self::FILETYPE_POOL;