Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
  • Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
  • PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Special setting for auth_shibboleth convert_data.
  19   *
  20   * @package    auth_shibboleth
  21   * @copyright  2020 Mihail Geshoski
  22   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23   */
  24  
  25  /**
  26   * Admin settings class for the convert_data option.
  27   *
  28   * @package    auth_shibboleth
  29   * @copyright  2020 Mihail Geshoski
  30   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  31   */
  32  class auth_shibboleth_admin_setting_convert_data extends admin_setting_configfile {
  33  
  34      /**
  35       * Constructor.
  36       *
  37       * @param string $name
  38       * @param string $visiblename
  39       * @param string $description
  40       * @param mixed $defaultdirectory
  41       */
  42      public function __construct($name, $visiblename, $description, $defaultdirectory) {
  43          parent::__construct($name, $visiblename, $description, $defaultdirectory);
  44      }
  45  
  46      /**
  47       * Validate the file path (location).
  48       *
  49       * This method ensures that the file defined as a data modification API exists and is not located in the site
  50       * data directory ($CFG->dataroot). We should prohibit using files from the site data directory as this introduces
  51       * security vulnerabilities.
  52       *
  53       * @param string $filepath The path to the file.
  54       * @return mixed bool true for success or string:error on failure.
  55       */
  56      public function validate($filepath) {
  57          global $CFG;
  58  
  59          if (empty($filepath)) {
  60              return true;
  61          }
  62  
  63          // Fail if the file does not exist or it is not readable by the webserver process.
  64          if (!is_readable($filepath)) {
  65              return get_string('auth_shib_convert_data_warning', 'auth_shibboleth');
  66          }
  67  
  68          // Fail if the absolute file path matches the currently defined dataroot path.
  69          if (preg_match('/' . preg_quote($CFG->dataroot, '/') . '/', realpath($filepath))) {
  70              return get_string('auth_shib_convert_data_filepath_warning', 'auth_shibboleth');
  71          }
  72  
  73          return true;
  74      }
  75  }