From 3a497524dc7c987e0cfc989a993e897dacf3fcd5 Mon Sep 17 00:00:00 2001 From: XGUI Date: Tue, 4 Feb 2025 10:48:28 +0100 Subject: [PATCH 1/2] =?UTF-8?q?N=C2=B08129=20=20-=20Fix=20unexpected=20ide?= =?UTF-8?q?ntifier=20self?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../unitary-tests/core/AttributeDefinitionTest.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/php-unit-tests/unitary-tests/core/AttributeDefinitionTest.php b/tests/php-unit-tests/unitary-tests/core/AttributeDefinitionTest.php index bfa979553..047f39462 100644 --- a/tests/php-unit-tests/unitary-tests/core/AttributeDefinitionTest.php +++ b/tests/php-unit-tests/unitary-tests/core/AttributeDefinitionTest.php @@ -257,7 +257,7 @@ PHP $defaultValue = $oDateAttribute->GetDefaultValue(); self::assertNull($defaultValue, 'Invalid default value for DateTime attribute should give null default value'); - self::AssertLastErrorLogEntryContains("Invalid default value 'zabugomeuh' for field 'start_date' on class 'WorkOrder', defaulting to null", "Last error log entry should contain a meaningful message"); + $this->AssertLastErrorLogEntryContains("Invalid default value 'zabugomeuh' for field 'start_date' on class 'WorkOrder', defaulting to null", "Last error log entry should contain a meaningful message"); } public function testDateEmptyDefaultReturnsNullAsDefaultValue() @@ -274,7 +274,7 @@ PHP $oDateAttribute = $this->GivenAttribute(\WorkOrder::class, 'start_date', AttributeDate::class, 'zabugomeuh', false); $defaultValue = $oDateAttribute->GetDefaultValue(); - self::AssertLastErrorLogEntryContains("Invalid default value 'zabugomeuh' for field 'start_date' on class 'WorkOrder', defaulting to null", "Last error log entry should contain a meaningful message"); + $this->AssertLastErrorLogEntryContains("Invalid default value 'zabugomeuh' for field 'start_date' on class 'WorkOrder', defaulting to null", "Last error log entry should contain a meaningful message"); self::assertNull($defaultValue, 'Invalid default value for Date attribute should give null default value'); } @@ -286,7 +286,7 @@ PHP $defaultValue = $oDateAttribute->GetDefaultValue(); - self::AssertLastErrorLogEntryContains("Invalid default value '\"27/01/2025\"' for field 'start_date' on class 'WorkOrder', defaulting to null", "Last error log entry should contain a meaningful message"); + $this->AssertLastErrorLogEntryContains("Invalid default value '\"27/01/2025\"' for field 'start_date' on class 'WorkOrder', defaulting to null", "Last error log entry should contain a meaningful message"); self::assertNull($defaultValue, 'Invalid default value for Date attribute should give null default value'); } From bd6ccc55f83a6d3f33d4b87beeb0ce90ba3bdef8 Mon Sep 17 00:00:00 2001 From: jf-cbd Date: Tue, 4 Feb 2025 10:49:16 +0100 Subject: [PATCH 2/2] =?UTF-8?q?N=C2=B08150=20-=20Better=20picture=20checki?= =?UTF-8?q?ng?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../portal/src/Controller/ObjectController.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php index 94ac155d8..4555a863b 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php +++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php @@ -1166,6 +1166,14 @@ class ObjectController extends BrickController $aHeaders['Content-Type'] = $oDocument->GetMimeType(); $aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment').';filename="'.$oDocument->GetFileName().'"'; + if (MetaModel::GetImageAttributeCode($sObjectClass) === $sObjectField) { + $sRequestedHash = $oRequest->get('s'); + $sComputedHash = md5($oDocument->GetData()); + if ($sRequestedHash !== $sComputedHash) { + throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist')); + } + } + // N°4129 - Prevent XSS attacks & other script executions if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) { $aHeaders['Content-Security-Policy'] = 'sandbox';