Merge remote-tracking branch 'origin/develop' into ent-4705-encriptado-de-nuevos-tokens

2025-04-08 18:55:09 +02:00 · 2020-01-23 11:06:15 +01:00 · 2020-01-23 11:06:15 +01:00 · 79a34ac756
commit 79a34ac756
parent 823fb30db7 a0ef0e1ee1
3 changed files with 9 additions and 4 deletions
--- a/pandora_console/godmode/agentes/agent_manager.php
+++ b/pandora_console/godmode/agentes/agent_manager.php
@ -208,7 +208,7 @@ if (!$new_agent && $alias != '') {
    $table_agent_name = '<div class="label_select"><p class="input_label">'.__('Agent name').': '.ui_print_help_tip(__("The agent's name must be the same as the one defined at the console"), true).'</p>';
    $table_agent_name .= '<div class="label_select_parent">';
    $table_agent_name .= '<div class="label_select_child_left" style="width: 60%;">'.html_print_input_text('agente', $nombre_agente, '', 50, 100, true).'</div>';
-    $table_agent_name .= '<div class="label_select_child_right agent_options_agent_name" style="width: 40%;">';
+    $table_agent_name .= '<div class="label_select_child_right agent_options_agent_name" style="width: 70%;">';

    if ($id_agente) {
        $table_agent_name .= '<label>'.__('ID').'</label><input style="width: 50%;" type="text" readonly value="'.$id_agente.'" />';
--- a/pandora_console/include/styles/agent_manager.css
+++ b/pandora_console/include/styles/agent_manager.css
@ -26,7 +26,7 @@
 }

 .agent_options_column_left {
-  padding-right: 50px;
+  padding-right: 60px;
 }

 .agent_qr {
@ -61,7 +61,7 @@ a#qr_code_agent_view {
 .first_row .agent_options_column_right select,
 .first_row .agent_options_column_right input,
 .first_row .agent_options_column_left select#grupo {
-  width: 95%;
+  width: 93%;
  box-sizing: border-box;
 }

--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@ -1234,9 +1234,13 @@ if ($searchPage) {

            if (isset($_GET['sec2'])) {
                $file = $_GET['sec2'].'.php';
+                // Make file path absolute to prevent accessing remote files.
+                $file = __DIR__.'/'.$file;
                // Translate some secs.
                $main_sec = get_sec($_GET['sec']);
                $_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
+
+                // Third condition is aimed to prevent from traversal attack.
                if (!file_exists($file)
                    || ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
                        'enterprise_acl',
@ -1247,7 +1251,8 @@ if ($searchPage) {
                            true,
                            isset($_GET['sec3']) ? $_GET['sec3'] : '',
                        ]
-                    ) == false)
+                    ) == false
+                    || strpos(realpath($file), __DIR__) === false)
                ) {
                    unset($_GET['sec2']);
                    include 'general/noaccess.php';