. /** * Minimalistic library, usable even when no other moodle libs are loaded. * * The only library that gets loaded if you define ABORT_AFTER_CONFIG * before including main config.php. You can resume normal script operation * if you define ABORT_AFTER_CONFIG_CANCEL and require the setup.php * * @package core * @copyright 2009 Petr Skoda (skodak) * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later */ /** * Minimalistic parameter validation function. * Can not use optional param because moodlelib.php is not loaded yet * @param string $name * @param mixed $default * @param string $type * @return mixed */ function min_optional_param($name, $default, $type) { if (isset($_GET[$name])) { $value = $_GET[$name]; } else if (isset($_GET['amp;'.$name])) { // very, very, very ugly hack, unfortunately $OUTPUT->pix_url() is not used properly in javascript code :-( $value = $_GET['amp;'.$name]; } else if (isset($_POST[$name])) { $value = $_POST[$name]; } else { return $default; } return min_clean_param($value, $type); } /** * Minimalistic parameter cleaning function. * * Note: Can not use optional param because moodlelib.php is not loaded yet. * * @param string $value * @param string $type * @return mixed */ function min_clean_param($value, $type) { switch($type) { case 'RAW': $value = min_fix_utf8((string)$value); break; case 'INT': $value = (int)$value; break; case 'SAFEDIR': $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); break; case 'SAFEPATH': $value = preg_replace('/[^a-zA-Z0-9\/\._-]/', '', $value); $value = preg_replace('/\.+/', '.', $value); $value = preg_replace('#/+#', '/', $value); break; default: die("Coding error: incorrect parameter type specified ($type)."); } return $value; } /** * Minimalistic UTF-8 sanitisation. * * Note: This duplicates fix_utf8() intentionally for now. * * @param string $value * @return string */ function min_fix_utf8($value) { // No null bytes expected in our data, so let's remove it. $value = str_replace("\0", '', $value); static $buggyiconv = null; if ($buggyiconv === null) { set_error_handler(function () { return true; }); $buggyiconv = (!function_exists('iconv') or iconv('UTF-8', 'UTF-8//IGNORE', '100'.chr(130).'€') !== '100€'); restore_error_handler(); } if ($buggyiconv) { if (function_exists('mb_convert_encoding')) { $subst = mb_substitute_character(); mb_substitute_character(''); $result = mb_convert_encoding($value, 'utf-8', 'utf-8'); mb_substitute_character($subst); } else { // Warn admins on admin/index.php page. $result = $value; } } else { $result = @iconv('UTF-8', 'UTF-8//IGNORE', $value); } return $result; } /** * This method tries to enable output compression if possible. * This function must be called before any output or headers. * * (IE6 is not supported at all.) * * @return boolean, true if compression enabled */ function min_enable_zlib_compression() { if (headers_sent()) { return false; } // zlib.output_compression is preferred over ob_gzhandler() if (!empty($_SERVER['HTTP_USER_AGENT']) and strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE 6') !== false) { ini_set('zlib.output_compression', 'Off'); if (function_exists('apache_setenv')) { apache_setenv('no-gzip', 1); } return false; } ini_set('output_handler', ''); /* * docs clearly say 'on' means enable and number means size of buffer, * but unfortunately some PHP version break when we set 'on' here. * 1 probably sets chunk size to 4096. our CSS and JS scripts are much bigger, * so let's try some bigger sizes. */ ini_set('zlib.output_compression', 65536); return true; } /** * Returns the slashargument part of the URL. * * Note: ".php" is NOT allowed in slasharguments, * it is intended for ASCII characters only. * * @param boolean $clean - Should we do cleaning on this path argument. If you set this * to false you MUST be very careful and do the cleaning manually. * @return string */ function min_get_slash_argument($clean = true) { // Note: This code has to work in the same cases as normal get_file_argument(), // but at the same time it may be simpler because we do not have to deal // with encodings and other tricky stuff. $relativepath = ''; if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) { // Server is using url rewriting, most probably IIS. // Always clean the result of this function as it may be used in unsafe calls to send_file. $relativepath = $_GET['file']; if ($clean) { $relativepath = min_clean_param($relativepath, 'SAFEPATH'); } return $relativepath; } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) { if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') { $relativepath = urldecode($_SERVER['PATH_INFO']); } } else { if (isset($_SERVER['PATH_INFO'])) { $relativepath = $_SERVER['PATH_INFO']; } } $matches = null; if (preg_match('|^.+\.php(.*)$|i', $relativepath, $matches)) { $relativepath = $matches[1]; } // Always clean the result of this function as it may be used in unsafe calls to send_file. if ($clean) { $relativepath = min_clean_param($relativepath, 'SAFEPATH'); } return $relativepath; }