composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-23 18:48:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed security issue: the attachments were visible by anybody (by forming URLs manually), whatever the allowed organizations. The change requires the execution of the setup/migration procedure.

Browse Source 
SVN:trunk[1591]
This commit is contained in:
Romain Quetiez
2011-09-22 09:04:12 +00:00
parent 0de75db474
commit da2b8ab4c0
4 changed files with 188 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
pages/ajax.render.php
View File

@@ -592,16 +592,17 @@ function DownloadDocument(WebPage $oPage, $sClass, $id, $sAttCode, $sContentDisp
{
try
{
$oObj = MetaModel::GetObject($sClass, $id);
if (is_object($oObj))
$oObj = MetaModel::GetObject($sClass, $id, false, false);
if (!is_object($oObj))
{
$oDocument = $oObj->Get($sAttCode);
if (is_object($oDocument))
{
$oPage->SetContentType($oDocument->GetMimeType());
$oPage->SetContentDisposition($sContentDisposition,$oDocument->GetFileName());
$oPage->add($oDocument->GetData());
}
throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
}
$oDocument = $oObj->Get($sAttCode);
if (is_object($oDocument))
{
$oPage->SetContentType($oDocument->GetMimeType());
$oPage->SetContentDisposition($sContentDisposition,$oDocument->GetFileName());
$oPage->add($oDocument->GetData());
}
}
catch(Exception $e)