From ca35bb64cc9143fa2c142afa5c0704fd7e44bbde Mon Sep 17 00:00:00 2001 From: Luis Calvo Date: Wed, 22 Jan 2020 10:17:35 +0100 Subject: [PATCH] Prepend folder to image to avoid Phar injection --- pandora_console/include/graphs/fgraph.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pandora_console/include/graphs/fgraph.php b/pandora_console/include/graphs/fgraph.php index 40c79bbf51..11f4db2f43 100644 --- a/pandora_console/include/graphs/fgraph.php +++ b/pandora_console/include/graphs/fgraph.php @@ -57,6 +57,9 @@ switch ($graph_type) { $out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false)); $out_of_lim_image = get_parameter('out_of_lim_image', false); + // Add relative path to avoid phar object injection. + $out_of_lim_image = '../graphs/'.$out_of_lim_image; + $title = get_parameter('title'); $mode = get_parameter('mode', 1);