composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-19 16:48:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix for potential XSS vulnerability on uploaded file names. To be further tested before retrofitting in branches.

Browse Source 
SVN:trunk[3985]
This commit is contained in:
Denis Flaven
2016-04-05 16:15:29 +00:00
parent 3997ea3a23
commit 32ce26aa7d
5 changed files with 10 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
application/cmdbabstract.class.inc.php
View File

@@ -1868,7 +1868,7 @@ EOF
$iMaxFileSize = utils::ConvertToBytes(ini_get('upload_max_filesize'));
$sHTMLValue = "<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"$iMaxFileSize\" />\n";
$sHTMLValue .= "<input name=\"attr_{$sFieldPrefix}{$sAttCode}{$sNameSuffix}[filename]\" type=\"hidden\" id=\"$iId\" \" value=\"".htmlentities($sFileName, ENT_QUOTES, 'UTF-8')."\"/>\n";
$sHTMLValue .= "<span id=\"name_$iInputId\">$sFileName</span><br/>\n";
$sHTMLValue .= "<span id=\"name_$iInputId\">".htmlentities($sFileName, ENT_QUOTES, 'UTF-8')."</span><br/>\n";
$sHTMLValue .= "<input title=\"$sHelpText\" name=\"attr_{$sFieldPrefix}{$sAttCode}{$sNameSuffix}[fcontents]\" type=\"file\" id=\"file_$iId\" onChange=\"UpdateFileName('$iId', this.value)\"/>&nbsp;{$sValidationSpan}{$sReloadSpan}\n";
break;