fixed security error on manage agent group
This commit is contained in:
marcos
parent
cbca70da73
commit
b3a270d0b3
|
|
@ -347,24 +347,32 @@ if (($create_group) && (check_acl($config['id_user'], 0, 'PM'))) {
|
||||||
$check = db_get_value('nombre', 'tgrupo', 'nombre', $name);
|
$check = db_get_value('nombre', 'tgrupo', 'nombre', $name);
|
||||||
$propagate = (bool) get_parameter('propagate');
|
$propagate = (bool) get_parameter('propagate');
|
||||||
|
|
||||||
|
$aviable_name = true;
|
||||||
|
if (preg_match('<script>', $name)) {
|
||||||
|
$aviable_name = false;
|
||||||
|
}
|
||||||
|
|
||||||
// Check if name field is empty.
|
// Check if name field is empty.
|
||||||
if ($name != '') {
|
if ($name != '') {
|
||||||
if (!$check) {
|
if (!$check) {
|
||||||
$values = [
|
if ($aviable_name === true) {
|
||||||
'nombre' => $name,
|
$values = [
|
||||||
'icon' => empty($icon) ? '' : substr($icon, 0, -4),
|
'nombre' => $name,
|
||||||
'parent' => $id_parent,
|
'icon' => empty($icon) ? '' : substr($icon, 0, -4),
|
||||||
'disabled' => $alerts_disabled,
|
'parent' => $id_parent,
|
||||||
'custom_id' => $custom_id,
|
'disabled' => $alerts_disabled,
|
||||||
'id_skin' => $skin,
|
'custom_id' => $custom_id,
|
||||||
'description' => $description,
|
'id_skin' => $skin,
|
||||||
'contact' => $contact,
|
'description' => $description,
|
||||||
'propagate' => $propagate,
|
'contact' => $contact,
|
||||||
'other' => $other,
|
'propagate' => $propagate,
|
||||||
'password' => io_safe_input($group_pass),
|
'other' => $other,
|
||||||
];
|
'password' => io_safe_input($group_pass),
|
||||||
|
];
|
||||||
|
|
||||||
|
$result = db_process_sql_insert('tgrupo', $values);
|
||||||
|
}
|
||||||
|
|
||||||
$result = db_process_sql_insert('tgrupo', $values);
|
|
||||||
if ($result) {
|
if ($result) {
|
||||||
ui_print_success_message(__('Group successfully created'));
|
ui_print_success_message(__('Group successfully created'));
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -394,8 +402,13 @@ if ($update_group) {
|
||||||
$contact = (string) get_parameter('contact');
|
$contact = (string) get_parameter('contact');
|
||||||
$other = (string) get_parameter('other');
|
$other = (string) get_parameter('other');
|
||||||
|
|
||||||
|
$aviable_name = true;
|
||||||
|
if (preg_match('<script>', $name)) {
|
||||||
|
$aviable_name = false;
|
||||||
|
}
|
||||||
|
|
||||||
// Check if name field is empty.
|
// Check if name field is empty.
|
||||||
if ($name != '') {
|
if ($name != '' && $aviable_name === true) {
|
||||||
$sql = sprintf(
|
$sql = sprintf(
|
||||||
'UPDATE tgrupo
|
'UPDATE tgrupo
|
||||||
SET nombre = "%s",
|
SET nombre = "%s",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue