From 343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7 Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Fri, 15 Sep 2023 09:55:51 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B06581=20-=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/dashboard.class.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/application/dashboard.class.inc.php b/application/dashboard.class.inc.php
index 2d6c7dbd4..3d2db1eb0 100644
--- a/application/dashboard.class.inc.php
+++ b/application/dashboard.class.inc.php
@@ -918,7 +918,7 @@ class RuntimeDashboard extends Dashboard
 	{
 		$bCustomized = false;
 
-		$sDashboardFileSanitized = utils::RealPath($sDashboardFile, APPROOT);
+		$sDashboardFileSanitized = utils::RealPath(APPROOT.$sDashboardFile, APPROOT);
 		if (false === $sDashboardFileSanitized) {
 			throw new SecurityException('Invalid dashboard file !');
 		}
@@ -1141,7 +1141,7 @@ JS
 		$oToolbar->AddSubBlock($oActionButton);
 
 		$aActions = array();
-		$sFile = addslashes($this->sDefinitionFile);
+		$sFile = addslashes(utils::LocalPath($this->sDefinitionFile));
 		$sJSExtraParams = json_encode($aExtraParams);
 		if ($this->HasCustomDashboard()) {
 			$oEdit = new JSPopupMenuItem('UI:Dashboard:Edit', Dict::S('UI:Dashboard:EditCustom'), "return EditDashboard('{$this->sId}', '$sFile', $sJSExtraParams)");