tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 16:24:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-6170-xss-en-incidents' into 'develop'

Browse Source 
fixed vilnerability with filename incidents

See merge request artica/pandorafms!3399
This commit is contained in:
Daniel Rodriguez 2020-08-11 12:40:22 +02:00
commit ee61425bbf
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pandora_console/operation/incidents/incident_detail.php
View File

@ -137,11 +137,11 @@ if (isset($_GET['id'])) {
} }
// Upload file // Upload file
if ((check_acl($config['id_user'], $id_grupo, 'IW') == 1) and isset($_GET['upload_file']) and ($_FILES['userfile']['name'] != '')) { if ((check_acl($config['id_user'], $id_grupo, 'IW') == 1) && isset($_GET['upload_file']) && ($_FILES['userfile']['name'] != '')) {
$description = get_parameter('file_description', __('No description available')); $description = get_parameter('file_description', __('No description available'));
// Insert into database // Insert into database
$filename = io_safe_input($_FILES['userfile']['name']); $filename = strip_tags(io_safe_input($_FILES['userfile']['name']), '<br>');
$filesize = io_safe_input($_FILES['userfile']['size']); $filesize = io_safe_input($_FILES['userfile']['size']);
// The following is if you have clamavlib installed // The following is if you have clamavlib installed