From 89145593ef2e077529a6f7ee7cde712db637e1ab Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Wed, 19 Jul 2023 09:25:48 +0200
Subject: [PATCH 1/2] =?UTF-8?q?N=C2=B06552=20-=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/dashboard.class.inc.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/application/dashboard.class.inc.php b/application/dashboard.class.inc.php
index b3fb736cf..2d6c7dbd4 100644
--- a/application/dashboard.class.inc.php
+++ b/application/dashboard.class.inc.php
@@ -918,6 +918,11 @@ class RuntimeDashboard extends Dashboard
 	{
 		$bCustomized = false;
 
+		$sDashboardFileSanitized = utils::RealPath($sDashboardFile, APPROOT);
+		if (false === $sDashboardFileSanitized) {
+			throw new SecurityException('Invalid dashboard file !');
+		}
+
 		// Search for an eventual user defined dashboard
 		$oUDSearch = new DBObjectSearch('UserDashboard');
 		$oUDSearch->AddCondition('user_id', UserRights::GetUserId(), '=');
@@ -929,7 +934,7 @@ class RuntimeDashboard extends Dashboard
 			$sDashboardDefinition = $oUserDashboard->Get('contents');
 			$bCustomized = true;
 		} else {
-			$sDashboardDefinition = @file_get_contents($sDashboardFile);
+			$sDashboardDefinition = @file_get_contents($sDashboardFileSanitized);
 		}
 
 
@@ -937,7 +942,7 @@ class RuntimeDashboard extends Dashboard
 			$oDashboard = new RuntimeDashboard($sDashBoardId);
 			$oDashboard->FromXml($sDashboardDefinition);
 			$oDashboard->SetCustomFlag($bCustomized);
-			$oDashboard->SetDefinitionFile($sDashboardFile);
+			$oDashboard->SetDefinitionFile($sDashboardFileSanitized);
 		} else {
 			$oDashboard = null;
 		}

From 2c4cad4dac34b7c1c12da41e6f64b69d0b0a5a89 Mon Sep 17 00:00:00 2001
From: Eric Espie <eric.espie@combodo.com>
Date: Wed, 19 Jul 2023 10:37:41 +0200
Subject: [PATCH 2/2] =?UTF-8?q?N=C2=B06436=20-=20Integrate=20Performance?=
 =?UTF-8?q?=20Audit=20pre=20requisite=20in=20iTop=20Pro=202.7.9=20(avoid?=
 =?UTF-8?q?=20unnecessary=20calls)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/kpi.class.inc.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/core/kpi.class.inc.php b/core/kpi.class.inc.php
index 57f167d87..592f2b276 100644
--- a/core/kpi.class.inc.php
+++ b/core/kpi.class.inc.php
@@ -339,6 +339,10 @@ class ExecutionKPI
 	{
 		global $fItopStarted;
 
+        if (!self::IsEnabled()) {
+            return;
+        }
+
 		$aNewEntry = null;
 
         $fStarted = $this->m_fStarted;
@@ -402,6 +406,9 @@ class ExecutionKPI
 
     public function ComputeStatsForExtension($object, $sMethod)
     {
+        if (!self::IsEnabled()) {
+            return;
+        }
         $sSignature = ModuleService::GetInstance()->GetModuleMethodSignature($object, $sMethod);
         if (utils::StartsWith($sSignature, '[')) {
             $this->ComputeStats('Extension', $sSignature);
@@ -410,6 +417,10 @@ class ExecutionKPI
 
 	public function ComputeStats($sOperation, $sArguments)
 	{
+        if (!self::IsEnabled()) {
+            return;
+        }
+
 		if (self::$m_bEnabled_Duration)
 		{
 			$fStopped = MyHelpers::getmicrotime();