Merge branch 'ent-5323-Phar-object-injection' into 'develop'

Prepend folder to image to avoid Phar injection See merge request artica/pandorafms!3021
2020-01-22 12:20:35 +01:00 · 2020-01-22 12:20:35 +01:00 · 189ba74f01
parent 69d9051339 ca35bb64cc
commit 189ba74f01
1 changed files with 3 additions and 0 deletions
--- a/pandora_console/include/graphs/fgraph.php
+++ b/pandora_console/include/graphs/fgraph.php
@ -57,6 +57,9 @@ switch ($graph_type) {
        $out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false));
        $out_of_lim_image = get_parameter('out_of_lim_image', false);

+        // Add relative path to avoid phar object injection.
+        $out_of_lim_image = '../graphs/'.$out_of_lim_image;
+
        $title = get_parameter('title');

        $mode = get_parameter('mode', 1);