fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-835

Browse Source 
Medium: Directory Traversal

Hor-835 fix obs
This commit is contained in:
dheeyi
2016-04-22 14:04:45 -04:00
parent 4cc8a1e92a
commit afd469d756
6 changed files with 68 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
workflow/engine/methods/processes/processes_Ajax.php
View File

@@ -190,12 +190,17 @@ try {
include (PATH_METHODS . 'processes/processes_webEntryValidate.php');
break;
case 'webEntry_delete':
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$form = $_REQUEST;
if(file_exists(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . $form['FILENAME'])) {
unlink(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . $form['FILENAME']);
unlink($filter->validateInput(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" .
PATH_SEP . $form['PRO_UID'] . PATH_SEP . $form['FILENAME'], 'path'));
}
if(file_exists(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . str_replace(".php", "Post", $form['FILENAME']) . ".php")) {
unlink(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . str_replace(".php", "Post", $form['FILENAME']) . ".php");
unlink($filter->validateInput(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" .
PATH_SEP . $form['PRO_UID'] . PATH_SEP . str_replace(".php", "Post", $form['FILENAME']) . ".php",
'path'));
}
$oProcessMap->webEntry($_REQUEST['PRO_UID']);
G::auditLog('WebEntry','Delete web entry ('.$form['FILENAME'].') in process "'.$resultProcess['PRO_TITLE'].'"');