composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-01 22:48:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix for potential XSS vulnerability on uploaded file names. To be further tested before retrofitting in branches.

Browse Source 
SVN:trunk[3985]
This commit is contained in:
Denis Flaven
2016-04-05 16:15:29 +00:00
parent 3997ea3a23
commit 32ce26aa7d
5 changed files with 10 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
datamodels/2.x/itop-attachments/main.attachments.php
View File

@@ -275,7 +275,7 @@ EOF
{
$iAttId = $oAttachment->GetKey();
$oDoc = $oAttachment->Get('contents');
$sFileName = $oDoc->GetFileName();
$sFileName = htmlentities($oDoc->GetFileName(), ENT_QUOTES, 'UTF-8');
$sIcon = utils::GetAbsoluteUrlAppRoot().AttachmentPlugIn::GetFileIcon($sFileName);
$sPreview = $oDoc->IsPreviewAvailable() ? 'true' : 'false';
$sDownloadLink = utils::GetAbsoluteUrlAppRoot().ATTACHMENT_DOWNLOAD_URL.$iAttId;
@@ -303,7 +303,7 @@ EOF
// Display them
$iAttId = $oAttachment->GetKey();
$oDoc = $oAttachment->Get('contents');
$sFileName = $oDoc->GetFileName();
$sFileName = htmlentities($oDoc->GetFileName(), ENT_QUOTES, 'UTF-8');
$sIcon = utils::GetAbsoluteUrlAppRoot().AttachmentPlugIn::GetFileIcon($sFileName);
$sDownloadLink = utils::GetAbsoluteUrlAppRoot().ATTACHMENT_DOWNLOAD_URL.$iAttId;
$sPreview = $oDoc->IsPreviewAvailable() ? 'true' : 'false';
@@ -439,7 +439,7 @@ EOF
{
$iAttId = $oAttachment->GetKey();
$oDoc = $oAttachment->Get('contents');
$sFileName = $oDoc->GetFileName();
$sFileName = htmlentities($oDoc->GetFileName(), ENT_QUOTES, 'UTF-8');
$sIcon = utils::GetAbsoluteUrlAppRoot().AttachmentPlugIn::GetFileIcon($sFileName);
$sPreview = $oDoc->IsPreviewAvailable() ? 'true' : 'false';
$sDownloadLink = utils::GetAbsoluteUrlAppRoot().ATTACHMENT_DOWNLOAD_URL.$iAttId;