From 5cf9716f0b97b2929b477f0de71babf71543cd15 Mon Sep 17 00:00:00 2001 From: Marco Antonio Nina Date: Tue, 17 Dec 2013 16:52:40 -0400 Subject: [PATCH 1/4] BUG-FILES Upload files templates IMPROVEMENT - Al subir los templates no se valida el tipo. - Se agrego la validacion del PRO_UID, ademas de tener el permiso PM_FACTORY y se quita cualquier tipo de codigo que no sea html en los archivos processes_doUpload.php, processes_Ajax.php, processes_UploadFiles.php. --- .../methods/processes/processes_Ajax.php | 68 ++++++++++------ .../processes/processes_UploadFiles.php | 55 +++++++++---- .../methods/processes/processes_doUpload.php | 78 +++++++++++++------ 3 files changed, 139 insertions(+), 62 deletions(-) diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php index cd3fefdc4..fe1915d84 100755 --- a/workflow/engine/methods/processes/processes_Ajax.php +++ b/workflow/engine/methods/processes/processes_Ajax.php @@ -498,30 +498,54 @@ try { case 'saveFile': global $G_PUBLISH; $G_PUBLISH = new Publisher(); - $sDir = ""; - if (isset($_REQUEST['MAIN_DIRECTORY'])) { - $sDir = $_REQUEST['MAIN_DIRECTORY']; + global $RBAC; + if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($_REQUEST['pro_uid'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; + } + + $sDir = ""; + if (isset($_REQUEST['MAIN_DIRECTORY'])) { + $sDir = $_REQUEST['MAIN_DIRECTORY']; + } + switch ($sDir) { + case 'mailTemplates': + $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; + break; + case 'public': + $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; + break; + default: + $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; + break; + } + $fp = fopen($sDirectory, 'w'); + $content = stripslashes($_REQUEST['fcontent']); + $content = str_replace("@amp@", "&", $content); + $content = base64_decode($content); + $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', + 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', + 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', + 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', + 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', + 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', + 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', + 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', + 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', + 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); + $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); + fwrite($fp, $content); + fclose($fp); + echo 'saved: ' . $sDirectory; } - switch ($sDir) { - case 'mailTemplates': - $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; - break; - case 'public': - $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; - break; - default: - $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename']; - break; - } - - $fp = fopen($sDirectory, 'w'); - $content = stripslashes($_REQUEST['fcontent']); - $content = str_replace("@amp@", "&", $content); - $content = base64_decode($content); - fwrite($fp, $content); - fclose($fp); - echo 'saved: ' . $sDirectory; + break; case 'events': $oProcessMap->eventsList($oData->pro_uid, $oData->type); diff --git a/workflow/engine/methods/processes/processes_UploadFiles.php b/workflow/engine/methods/processes/processes_UploadFiles.php index 4d6cca241..e40f0981b 100755 --- a/workflow/engine/methods/processes/processes_UploadFiles.php +++ b/workflow/engine/methods/processes/processes_UploadFiles.php @@ -1,19 +1,44 @@ userCanAccess('PM_FACTORY') == 1) { + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($_REQUEST['pro_uid'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; } + switch ($_POST['form']['MAIN_DIRECTORY']) { + case 'mailTemplates': + $sDirectory = PATH_DATA_MAILTEMPLATES . $_POST['form']['PRO_UID'] . PATH_SEP . ($_POST['form']['CURRENT_DIRECTORY'] != '' ? $_POST['form']['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + case 'public': + $sDirectory = PATH_DATA_PUBLIC . $_POST['form']['PRO_UID'] . PATH_SEP . ($_POST['form']['CURRENT_DIRECTORY'] != '' ? $_POST['form']['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + default: + die(); + break; + } + for ($i = 1; $i <= 5; $i ++) { + if ($_FILES['form']['tmp_name']['FILENAME' . (string) $i] != '') { + G::uploadFile( $_FILES['form']['tmp_name']['FILENAME' . (string) $i], $sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] ); + $fp = fopen($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] , 'rw'); + $content = fread($fp, filesize($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] )); + $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', + 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', + 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', + 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', + 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', + 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', + 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', + 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', + 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', + 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); + $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); + fwrite( $fp, $content ); + fclose($fp); + } + } } die( '' ); diff --git a/workflow/engine/methods/processes/processes_doUpload.php b/workflow/engine/methods/processes/processes_doUpload.php index 152832ad9..7653c726f 100755 --- a/workflow/engine/methods/processes/processes_doUpload.php +++ b/workflow/engine/methods/processes/processes_doUpload.php @@ -1,29 +1,57 @@ userCanAccess('PM_FACTORY') == 1) { -if (isset( $_SESSION['processes_upload'] )) { - $form = $_SESSION['processes_upload']; - switch ($form['MAIN_DIRECTORY']) { - case 'mailTemplates': - $sDirectory = PATH_DATA_MAILTEMPLATES . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); - break; - case 'public': - $sDirectory = PATH_DATA_PUBLIC . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); - break; - default: - die(); - break; + if (isset( $_SESSION['processes_upload'] )) { + $form = $_SESSION['processes_upload']; + switch ($form['MAIN_DIRECTORY']) { + case 'mailTemplates': + $sDirectory = PATH_DATA_MAILTEMPLATES . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + case 'public': + $sDirectory = PATH_DATA_PUBLIC . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); + break; + default: + die(); + break; + } + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($form['PRO_UID'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; + } + } -} -if ($_FILES['form']['error'] == "0") { - G::uploadFile( $_FILES['form']['tmp_name'], $sDirectory, $_FILES['form']['name'] ); - $msg = "Uploaded (" . (round( (filesize( $sDirectory . $_FILES['form']['name'] ) / 1024) * 10 ) / 10) . " kb)"; - $result = 1; - //echo $sDirectory.$_FILES['form']['name']; -} else { - $msg = "Failed"; - $result = 0; -} - -echo "{'result': $result, 'msg':'$msg'}"; \ No newline at end of file + if ($_FILES['form']['error'] == "0") { + G::uploadFile( $_FILES['form']['tmp_name'], $sDirectory, $_FILES['form']['name'] ); + $fp = fopen($sDirectory . $_FILES['form']['name'], 'rw'); + $content = fread($fp, filesize($sDirectory . $_FILES['form']['name'])); + $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', + 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', + 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', + 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', + 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', + 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', + 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', + 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', + 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', + 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); + $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); + fwrite( $fp, $content ); + fclose($fp); + $msg = "Uploaded (" . (round( (filesize( $sDirectory . $_FILES['form']['name'] ) / 1024) * 10 ) / 10) . " kb)"; + $result = 1; + //echo $sDirectory.$_FILES['form']['name']; + } else { + $msg = "Failed"; + $result = 0; + } + + echo "{'result': $result, 'msg':'$msg'}"; +} \ No newline at end of file From ec860a320dee5a485b0db8f933622e38eed16c06 Mon Sep 17 00:00:00 2001 From: Marco Antonio Nina Date: Thu, 19 Dec 2013 10:32:26 -0400 Subject: [PATCH 2/4] BUG-FILES Upload files templates IMPROVEMENT - Al subir los templates no se valida el tipo. - Se agrego la validacion del PRO_UID, ademas de tener el permiso PM_FACTORY y se quita cualquier tipo de codigo que no sea html en los archivos processes_doUpload.php, processes_Ajax.php, processes_UploadFiles.php. --- .../methods/processes/processes_Ajax.php | 16 --------- .../processes/processes_UploadFiles.php | 23 ++----------- .../methods/processes/processes_doUpload.php | 34 ++++--------------- 3 files changed, 10 insertions(+), 63 deletions(-) diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php index fe1915d84..775f310e8 100755 --- a/workflow/engine/methods/processes/processes_Ajax.php +++ b/workflow/engine/methods/processes/processes_Ajax.php @@ -526,26 +526,10 @@ try { $content = stripslashes($_REQUEST['fcontent']); $content = str_replace("@amp@", "&", $content); $content = base64_decode($content); - $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', - 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', - 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', - 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', - 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', - 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', - 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', - 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', - 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', - 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', - 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', - 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', - 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); - $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); fwrite($fp, $content); fclose($fp); echo 'saved: ' . $sDirectory; } - - break; case 'events': $oProcessMap->eventsList($oData->pro_uid, $oData->type); diff --git a/workflow/engine/methods/processes/processes_UploadFiles.php b/workflow/engine/methods/processes/processes_UploadFiles.php index e40f0981b..abcf6004f 100755 --- a/workflow/engine/methods/processes/processes_UploadFiles.php +++ b/workflow/engine/methods/processes/processes_UploadFiles.php @@ -1,4 +1,5 @@ -userCanAccess('PM_FACTORY') == 1) { G::LoadClass('processes'); $app = new Processes(); @@ -7,7 +8,7 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { die; } switch ($_POST['form']['MAIN_DIRECTORY']) { - case 'mailTemplates': + case 'mailTemplates': $sDirectory = PATH_DATA_MAILTEMPLATES . $_POST['form']['PRO_UID'] . PATH_SEP . ($_POST['form']['CURRENT_DIRECTORY'] != '' ? $_POST['form']['CURRENT_DIRECTORY'] . PATH_SEP : ''); break; case 'public': @@ -20,24 +21,6 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { for ($i = 1; $i <= 5; $i ++) { if ($_FILES['form']['tmp_name']['FILENAME' . (string) $i] != '') { G::uploadFile( $_FILES['form']['tmp_name']['FILENAME' . (string) $i], $sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] ); - $fp = fopen($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] , 'rw'); - $content = fread($fp, filesize($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] )); - $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', - 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', - 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', - 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', - 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', - 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', - 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', - 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', - 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', - 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', - 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', - 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', - 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); - $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); - fwrite( $fp, $content ); - fclose($fp); } } } diff --git a/workflow/engine/methods/processes/processes_doUpload.php b/workflow/engine/methods/processes/processes_doUpload.php index 7653c726f..06bc75d7c 100755 --- a/workflow/engine/methods/processes/processes_doUpload.php +++ b/workflow/engine/methods/processes/processes_doUpload.php @@ -2,11 +2,16 @@ sleep( 1 ); global $RBAC; if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { - if (isset( $_SESSION['processes_upload'] )) { $form = $_SESSION['processes_upload']; + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($form['PRO_UID'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; + } switch ($form['MAIN_DIRECTORY']) { - case 'mailTemplates': + case 'mailTemplates': $sDirectory = PATH_DATA_MAILTEMPLATES . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); break; case 'public': @@ -16,35 +21,10 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { die(); break; } - G::LoadClass('processes'); - $app = new Processes(); - if (!$app->processExists($form['PRO_UID'])) { - echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); - die; - } - } if ($_FILES['form']['error'] == "0") { G::uploadFile( $_FILES['form']['tmp_name'], $sDirectory, $_FILES['form']['name'] ); - $fp = fopen($sDirectory . $_FILES['form']['name'], 'rw'); - $content = fread($fp, filesize($sDirectory . $_FILES['form']['name'])); - $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', - 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', - 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', - 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', - 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', - 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', - 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', - 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', - 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', - 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', - 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', - 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', - 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); - $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); - fwrite( $fp, $content ); - fclose($fp); $msg = "Uploaded (" . (round( (filesize( $sDirectory . $_FILES['form']['name'] ) / 1024) * 10 ) / 10) . " kb)"; $result = 1; //echo $sDirectory.$_FILES['form']['name']; From f2a223a6a022ae27e46b60feaee49336137a2b34 Mon Sep 17 00:00:00 2001 From: Marco Antonio Nina Date: Thu, 19 Dec 2013 15:08:07 -0400 Subject: [PATCH 3/4] BUG-FILES Upload files templates IMPROVEMENT - Al subir los templates no se valida el tipo. - Se agrego la validacion del PRO_UID, ademas de tener el permiso PM_FACTORY y se quita cualquier tipo de codigo que no sea html en los archivos processes_doUpload.php, processes_Ajax.php, processes_UploadFiles.php. --- workflow/engine/methods/processes/processes_UploadFiles.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/methods/processes/processes_UploadFiles.php b/workflow/engine/methods/processes/processes_UploadFiles.php index abcf6004f..11fe25373 100755 --- a/workflow/engine/methods/processes/processes_UploadFiles.php +++ b/workflow/engine/methods/processes/processes_UploadFiles.php @@ -3,7 +3,7 @@ global $RBAC; if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { G::LoadClass('processes'); $app = new Processes(); - if (!$app->processExists($_REQUEST['pro_uid'])) { + if (!$app->processExists($_POST['form']['PRO_UID'])) { echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); die; } From ba8368fb0002e7c497edb91766345abcb86df0dc Mon Sep 17 00:00:00 2001 From: Marco Antonio Nina Date: Thu, 19 Dec 2013 15:55:17 -0400 Subject: [PATCH 4/4] BUG-FILES Upload files templates IMPROVEMENT Al subir los templates no se valida el tipo. Se agrego la validacion del PRO_UID, ademas de tener el permiso PM_FACTORY y se quita cualquier tipo de codigo que no sea html en los archivos processes_doUpload.php, processes_Ajax.php, processes_Upload --- workflow/engine/methods/processes/processes_doUpload.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/workflow/engine/methods/processes/processes_doUpload.php b/workflow/engine/methods/processes/processes_doUpload.php index 06bc75d7c..90dc80850 100755 --- a/workflow/engine/methods/processes/processes_doUpload.php +++ b/workflow/engine/methods/processes/processes_doUpload.php @@ -7,7 +7,9 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { G::LoadClass('processes'); $app = new Processes(); if (!$app->processExists($form['PRO_UID'])) { - echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + $result = 0; + $msg = G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + echo "{'result': $result, 'msg':'$msg'}"; die; } switch ($form['MAIN_DIRECTORY']) {