From 01f81f7f764c3f1bf3c903a78adcb80513ed2230 Mon Sep 17 00:00:00 2001
From: Zone <Zone@alumni.egroupware.org>
Date: Mon, 17 Feb 2003 19:32:26 +0000
Subject: [PATCH] Add support for inline docs inside a comment block, add
 @required and @optional detection, fix security problem with passing '..' in
 files[]

---
 doc/inlinedocparser.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/doc/inlinedocparser.php b/doc/inlinedocparser.php
index d5e81e857c..ef4de55c2f 100755
--- a/doc/inlinedocparser.php
+++ b/doc/inlinedocparser.php
@@ -53,7 +53,7 @@
 	*/
 	function parseobject($input)
 	{
-		$types = array('abstract','param','example','syntax','result','description','discussion','author','copyright','package','access');
+		$types = array('abstract','param','example','syntax','result','description','discussion','author','copyright','package','access','required','optional');
 		$new = explode("@",$input);
 		while (list($x,$y) = each($new))
 		{
@@ -100,7 +100,7 @@
 	*/
 	function parsesimpleobject($input)
 	{
-		$types = array('abstract','param','example','syntax','result','description','discussion','author','copyright','package','access');
+		$types = array('abstract','param','example','syntax','result','description','discussion','author','copyright','package','access','required','optional');
 		$input = ereg_replace ("@", "@#", $input);
 		$new = explode("@",$input);
 		if (count($new) < 3)
@@ -148,6 +148,18 @@
 	* limiting and selecting what to print                                     *
 	\**************************************************************************/
 
+	/* Prevents passing files[]=../../../secret_file or files[]=/etc/passwd */
+	if (is_array($GLOBALS['files']))
+	{
+		while (list($p, $fn) = each ($GLOBALS['files']))
+		{
+			if (ereg('\.\.', $fn) || ereg('^/', $fn))
+			{
+				unset($GLOBALS['files'][$p]);
+			}
+		}
+	}
+
 	if (!isset($GLOBALS['HTTP_GET_VARS']['object_type']))
 	{
 		$GLOBALS['object_type'] = 'function';
@@ -291,6 +303,7 @@
 		while (list($key,$val) = each($matches))
 		{
 			preg_match_all("#@(.*)$#sUi",$val[1],$data);
+			$data[1][0] = ereg_replace ("\n([[:space:]]+)\*", "\n\\1", $data[1][0]);
 			$data[1][0] = ereg_replace ("@", "@#", $data[1][0]);
 			$returndata = parseobject($data[1][0], $fn);
 			if ($startstop[$key] == 'some_lame_string_that_wont_be_used_by_a_function')