Merged master into dashboards2

2015-03-31 13:19:03 -04:00
parent d02cda3f6a 8b41041c02
commit 6e4b4914bb
47 changed files with 344 additions and 170 deletions
--- a/workflow/engine/methods/setup/languages_Import.php
+++ b/workflow/engine/methods/setup/languages_Import.php
@@ -56,10 +56,12 @@ try {
    $sMaxExecutionTime = ini_get( 'max_execution_time' );
    ini_set( 'max_execution_time', '0' );
    G::LoadClass( 'configuration' );
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();

    $languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME'];
    $languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME'];
-
+    $languageFilename = $filter->xssFilterHard($languageFilename, 'path');
    if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) {
        $zp = gzopen( $languageFile, "r" );
        $languageFile = tempnam( __FILE__, '' );
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -320,6 +320,8 @@ function importSkin ()
 function exportSkin ($skinToExport = "")
 {
    try {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        if (! isset( $_REQUEST['SKIN_FOLDER_ID'] )) {
            throw (new Exception( G::LoadTranslation( 'ID_SKIN_NAME_REQUIRED' ) ));
        }
@@ -329,6 +331,7 @@ function exportSkin ($skinToExport = "")
        $skinFolderBase = PATH_CUSTOM_SKINS . $skinName;
        $skinFolder = $skinFolderBase . PATH_SEP;
        $skinTar = PATH_CUSTOM_SKINS . $skinName . '.tar';
+        $skinTar = $filter->xssFilterHard($skinTar, 'path');
        if (! is_dir( $skinFolder )) {
            throw (new Exception( G::LoadTranslation( 'ID_SKIN_DOESNT_EXIST' ) ));
        }