composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°4361 - XSS in csvimport on develop

Browse Source
This commit is contained in:
acognet
2021-10-19 11:08:47 +02:00
parent 88fda1466e
commit c8f3d23d30
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pages/csvimport.php
View File

@@ -233,8 +233,7 @@ try {
{ {
$sClassName = utils::ReadParam('class_name', '', false, 'class'); $sClassName = utils::ReadParam('class_name', '', false, 'class');
// Class access right check for the import // Class access right check for the import
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO) if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO) {
{
throw new CoreException(Dict::S('UI:ActionNotAllowed')); throw new CoreException(Dict::S('UI:ActionNotAllowed'));
} }
@@ -245,8 +244,7 @@ try {
$sTextQualifier = utils::ReadParam('text_qualifier', '"', false, 'raw_data'); $sTextQualifier = utils::ReadParam('text_qualifier', '"', false, 'raw_data');
$bHeaderLine = (utils::ReadParam('header_line', '0') == 1); $bHeaderLine = (utils::ReadParam('header_line', '0') == 1);
$iSkippedLines = 0; $iSkippedLines = 0;
if (utils::ReadParam('box_skiplines', '0') == 1) if (utils::ReadParam('box_skiplines', '0') == 1) {
{
$iSkippedLines = utils::ReadParam('nb_skipped_lines', '0'); $iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
} }
$aFieldsMapping = utils::ReadParam('field', array(), false, 'raw_data'); $aFieldsMapping = utils::ReadParam('field', array(), false, 'raw_data');
@@ -1150,7 +1148,7 @@ EOF
$sCSVData = $oDocument->GetData(); $sCSVData = $oDocument->GetData();
} }
break; break;
default: default:
$sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data'); $sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data');
} }
@@ -1515,7 +1513,7 @@ EOF
$oTabPaste->AddSubBlock($oFormPaste); $oTabPaste->AddSubBlock($oFormPaste);
$sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data'); $sCSVData = utils::ReadParam('csvdata', '', false, utils::ENUM_SANITIZATION_FILTER_STRING);
$oTextarea = new TextArea('csvdata', $sCSVData, '', 120, 30); $oTextarea = new TextArea('csvdata', $sCSVData, '', 120, 30);
$oFieldPaste = FieldUIBlockFactory::MakeFromObject(Dict::S('UI:CSVImport:PasteData'), $oTextarea); $oFieldPaste = FieldUIBlockFactory::MakeFromObject(Dict::S('UI:CSVImport:PasteData'), $oTextarea);
$oFormPaste->AddSubBlock($oFieldPaste); $oFormPaste->AddSubBlock($oFieldPaste);