Making custom scripts path generic so it is not forced to be in the

dataroot directory which is writable by the web server. Path cleaned to avoid relative directory links.

Making custom scripts path generic so it is not forced to be in the
dataroot directory which is writable by the web server. Path cleaned to avoid relative directory links.
9677eb79 · ikawhero · 7b5aa1b7 · 9677eb79 · 9677eb79
Commit 9677eb79 authored Feb 23, 2006 by ikawhero
--- a/config-dist.php
+++ b/config-dist.php
@@ -214,7 +214,7 @@ $CFG->admin = 'admin';
 //      $CFG->filtermatchoneperpage = true;
 //
 // Enabling this will allow custom scripts to replace existing moodle scripts.
-// For example: if $CFG->dataroot/customscripts/course/view.php exists then
+// For example: if $CFG->customscripts/course/view.php exists then
 // it will be used instead of $CFG->wwwroot/course/view.php
 // At present this will only work for files that include config.php and are called
 // as part of the url (index.php is implied).
@@ -226,7 +226,8 @@ $CFG->admin = 'admin';
 // Warning: Replacing standard moodle scripts may pose security risks and/or may not
 // be compatible with upgrades. Use this option only if you are aware of the risks
 // involved. 
-//      $CFG->customscripts = true;
+// Specify the full directory path to the custom scripts
+//      $CFG->customscripts = '/home/example/customscripts';
 //
 // Performance profiling 
 // 

--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -6935,8 +6935,11 @@ function custom_script_path($urlpath='') {
        if (!$urlpath) return false;
    }

-    // Strip wwwroot out
-    $scriptpath = str_replace($CFG->wwwroot, $CFG->dataroot.'/customscripts', $urlpath);
+    /// Strip wwwroot out
+    $scriptpath = str_replace($CFG->wwwroot, $CFG->customscripts, $urlpath);
+
+    /// Clean the path
+    $scriptpath = clean_param($scriptpath, PARAM_PATH);

    /// Strip the query string out
    $parts = parse_url($scriptpath);