fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-1363 "CLONE - Penetration test >> Internal paths exposed in cases" SOLVED

Browse Source 
Issue:
    CLONE - Penetration test >> Internal paths exposed in cases
Cause:
    No se filtran las variables
Solution:
    - Se filtran las variables enviadas
    - Para evitar mostrar los paths de los files que son mostrados cuando se genera un notice PHP, se debe configurar
      el php.ini, se sugiere revisar las siguientes URL: http://www.zootemplate.com/news-updates/how-to-disable-notice-and-warning-in-phpini-file
This commit is contained in:
Victor Saisa Lopez
2016-06-27 12:17:06 -04:00
parent c252cad836
commit 57a246b51c
2 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
workflow/engine/methods/cases/cases_Step.php
View File

@@ -1,4 +1,10 @@
<?php
$filter = new InputFilter();
list($_GET['UID'], $_GET['TYPE'], $_GET['POSITION'], $_GET['ACTION']) = $filter->xssRegexFilter(
[$_GET['UID'], $_GET['TYPE'], $_GET['POSITION'], $_GET['ACTION']], '/[\-\w]/'
);
if (!isset($_SESSION['USER_LOGGED'])) {
G::SendTemporalMessage( 'ID_LOGIN_AGAIN', 'warning', 'labels' );
die( '<script type="text/javascript">
@@ -780,7 +786,7 @@ try {
$aFields['TASK'] = $oDerivation->prepareInformation( array ('USER_UID' => $_SESSION['USER_LOGGED'],'APP_UID' => $_SESSION['APPLICATION'],'DEL_INDEX' => $_SESSION['INDEX']
) );
if (empty( $aFields['TASK'] )) {
throw (new Exception( G::LoadTranslation( 'ID_NO_DERIVATION_RULE' ) ));
}