From 7104ece311e57193bfc97f3ada69b3b2a9923d69 Mon Sep 17 00:00:00 2001 From: "marcelo.cuiza" Date: Thu, 26 Mar 2015 17:41:41 -0400 Subject: [PATCH] veracode issues --- gulliver/system/class.g.php | 8 ++++++- .../engine/classes/model/AddonsManager.php | 2 +- workflow/engine/methods/cases/cases_Step.php | 23 +++++++++++++++---- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 3c0e050f3..856997090 100755 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -2635,9 +2635,15 @@ class G if (! is_dir( $path )) { G::verifyPath( $path, true ); } - move_uploaded_file( $file, $path . "/" . $nameToSave ); + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->xssFilterHard($file, "path"); + + $f = move_uploaded_file( $file, $path . "/" . $nameToSave ); @chmod( $path . "/" . $nameToSave, $permission ); umask( $oldumask ); + } catch (Exception $oException) { throw $oException; } diff --git a/workflow/engine/classes/model/AddonsManager.php b/workflow/engine/classes/model/AddonsManager.php index 7eb78f9a9..ada2ffb3e 100644 --- a/workflow/engine/classes/model/AddonsManager.php +++ b/workflow/engine/classes/model/AddonsManager.php @@ -215,7 +215,7 @@ class AddonsManager extends BaseAddonsManager $var = explode("&", $aux[1]); /////// - $boundary = "---------------------" . substr(md5(rand(0, 32000)), 0, 10); + $boundary = "---------------------" . substr(G::encryptOld(rand(0, 32000)), 0, 10); $data = null; for ($i = 0; $i <= count($var) - 1; $i++) { diff --git a/workflow/engine/methods/cases/cases_Step.php b/workflow/engine/methods/cases/cases_Step.php index 3b0e14ba9..6d18ea885 100755 --- a/workflow/engine/methods/cases/cases_Step.php +++ b/workflow/engine/methods/cases/cases_Step.php @@ -518,16 +518,22 @@ try { $util = new Java( "com.processmaker.util.pmutils" ); $util->setInputPath( $javaInput ); $util->setOutputPath( $javaOutput ); + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); //$content = file_get_contents ( PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.jrxml' ); //$iSize = file_put_contents ( $javaInput . $aOD['OUT_DOC_UID'] . '.jrxml', $content ); - copy( PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.jrxml', $javaInput . $aOD['OUT_DOC_UID'] . '.jrxml' ); + $locationFrom = PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.jrxml'; + $locationFrom = $filter->xssFilterHard($locationFrom, "path"); + copy( $locationFrom, $javaInput . $aOD['OUT_DOC_UID'] . '.jrxml' ); $outputFile = $javaOutput . $sFilename . '.pdf'; print $util->jrxml2pdf( $aOD['OUT_DOC_UID'] . '.jrxml', basename( $outputFile ) ); //$content = file_get_contents ( $outputFile ); //$iSize = file_put_contents ( $pathOutput . $sFilename . '.pdf' , $content ); + $outputFile = $filter->xssFilterHard($outputFile, "path"); copy( $outputFile, $pathOutput . $sFilename . '.pdf' ); //die; break; @@ -547,13 +553,20 @@ try { $util = new Java( "com.processmaker.util.pmutils" ); $util->setInputPath( $javaInput ); $util->setOutputPath( $javaOutput ); - - copy( PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.pdf', $javaInput . $aOD['OUT_DOC_UID'] . '.pdf' ); + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + + $locationFrom = PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.pdf'; + $locationFrom = $filter->xssFilterHard($locationFrom, "path"); + copy( $locationFrom, $javaInput . $aOD['OUT_DOC_UID'] . '.pdf' ); $outputFile = $javaOutput . $sFilename . '.pdf'; print $util->writeVarsToAcroFields( $aOD['OUT_DOC_UID'] . '.pdf', $xmlData ); - - copy( $javaOutput . $aOD['OUT_DOC_UID'] . '.pdf', $pathOutput . $sFilename . '.pdf' ); + + $locationFrom = $javaOutput . $aOD['OUT_DOC_UID'] . '.pdf'; + $locationFrom = $filter->xssFilterHard($locationFrom, "path"); + copy( $locationFrom, $pathOutput . $sFilename . '.pdf' ); break; default: