From d31a4047f6778ed558ab1c975f878203de2062e9 Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 19 Dec 2018 17:13:49 +0100 Subject: [PATCH 1/2] Fix Setup hardening --- setup/ajax.dataloader.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php index 070db5bbb..6dc61f7cc 100644 --- a/setup/ajax.dataloader.php +++ b/setup/ajax.dataloader.php @@ -121,7 +121,10 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past $sOperation = Utils::ReadParam('operation', ''); try { - if (!is_writable(utils::GetConfigFilePath())) throw new Exception('Setup operations are not allowed outside of the setup'); + if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath())) + { + throw new Exception('Setup operations are not allowed outside of the setup'); + } switch($sOperation) { From bc5643707ea8c5c8484a2f143b92d521fc6d0500 Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 21 Dec 2018 09:36:28 +0100 Subject: [PATCH 2/2] =?UTF-8?q?N=C2=B01898=20-=20Fix=20pagination=20issue?= =?UTF-8?q?=20for=20search=20with=20accent?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pages/ajax.render.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/ajax.render.php b/pages/ajax.render.php index ef4c5cf8a..ce29048e3 100644 --- a/pages/ajax.render.php +++ b/pages/ajax.render.php @@ -58,7 +58,7 @@ try $operation = utils::ReadParam('operation', ''); - $sFilter = stripslashes(utils::ReadParam('filter', '', false, 'raw_data')); + $sFilter = utils::ReadParam('filter', '', false, 'raw_data'); $sEncoding = utils::ReadParam('encoding', 'serialize'); $sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class'); $sStyle = utils::ReadParam('style', 'list');