Security: Plugin: OnlyOffice: Add filtering to new filenames created through the plugin

Author: ywarnier

plugin/onlyoffice/lib/onlyofficeDocumentManager.php

@@ -189,8 +189,11 @@ public static function createFile(
 
         $fileTitle = Security::remove_XSS($basename).'.'.$fileExt;
 
-        $fileNamePrefix = ChamiloDocumentManager::getDocumentSuffix($courseInfo, $sessionId, $groupId);
-        $fileName = preg_replace('/\.\./', '', $basename).$fileNamePrefix.'.'.$fileExt;
+        $fileNameSuffix = ChamiloDocumentManager::getDocumentSuffix($courseInfo, $sessionId, $groupId);
+        // Try to avoid directories browsing (remove .., slashes and backslashes)
+        $patterns = ['#\.\./#', '#\.\.#', '#/#', '#\\\#'];
+        $replacements = ['', '', '', ''];
+        $fileName = preg_replace($patterns, $replacements, $basename).$fileNameSuffix.'.'.$fileExt;
 
         if (empty($templatePath)) {
             $templatePath = TemplateManager::getEmptyTemplate($fileExt);