Merged in mcuiza/processmaker/veracode-medium-issues (pull request #1867)
veracode medium issues
This commit is contained in:
Julio Cesar Laura Avendaño
@@ -3797,6 +3797,10 @@ class Cases
|
||||
if (!is_dir($strPathName)) {
|
||||
G::verifyPath($strPathName, true);
|
||||
}
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$file = $filter->xssFilterHard($file, 'path');
|
||||
|
||||
copy($file, $strPathName . $strFileName);
|
||||
chmod($strPathName . $strFileName, 0666);
|
||||
|
||||
@@ -442,6 +442,10 @@ class pmLicenseManager
|
||||
$LicenseStatus = $this->lookForStatusLicense(); //we're looking for a status ACTIVE
|
||||
|
||||
//getting the content from file
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$path = $filter->xssFilterHard($path, 'path');
|
||||
|
||||
$handle = fopen ( $path, "r" );
|
||||
$contents = fread ( $handle, filesize ( $path ) );
|
||||
fclose ( $handle );
|
||||
|
||||
@@ -287,6 +287,7 @@ class System
|
||||
$tempFilename = isset( $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] : '';
|
||||
$this->sRevision = str_replace( '.tar.gz', '', str_replace( 'pmos-patch-', '', $upgradeFilename ) );
|
||||
$sTemFilename = $tempFilename;
|
||||
$sTemFilename = $filter->xssFilterHard($sTemFilename, 'path');
|
||||
$pathFile = $filter->xssFilterHard(PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename, 'path');
|
||||
$this->sFilename = $pathFile;
|
||||
$this->sPath = dirname( $this->sFilename ) . PATH_SEP;
|
||||
|
||||
@@ -669,10 +669,12 @@ class pmTablesProxy extends HttpProxyController
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$countRow = 250;
|
||||
if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
|
||||
$tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE'];
|
||||
$tmpfilename = $filter->xssFilterHard($tmpfilename, 'path');
|
||||
if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) {
|
||||
$filename = $_FILES['form']['name']['CSV_FILE'];
|
||||
$filename = $filter->xssFilterHard($filename, 'path');
|
||||
if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
|
||||
if ($oFile = fopen( $tmpfilename, 'r' )) {
|
||||
require_once 'classes/model/AdditionalTables.php';
|
||||
$oAdditionalTables = new AdditionalTables();
|
||||
$aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true );
|
||||
@@ -767,10 +769,12 @@ class pmTablesProxy extends HttpProxyController
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
|
||||
$tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE'];
|
||||
$tmpfilename = $filter->xssFilterHard($tmpfilename, 'path');
|
||||
if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) {
|
||||
$filename = $_FILES['form']['name']['CSV_FILE'];
|
||||
$filename = $filter->xssFilterHard($filename, 'path');
|
||||
if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
|
||||
if ($oFile = fopen( $tmpfilename, 'r' )) {
|
||||
require_once 'classes/model/AdditionalTables.php';
|
||||
$oAdditionalTables = new AdditionalTables();
|
||||
$aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true );
|
||||
|
||||
@@ -61,6 +61,7 @@ try {
|
||||
|
||||
$languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME'];
|
||||
$languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME'];
|
||||
$languageFile = $filter->xssFilterHard($languageFile, 'path');
|
||||
$languageFilename = $filter->xssFilterHard($languageFilename, 'path');
|
||||
if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) {
|
||||
$zp = gzopen( $languageFile, "r" );
|
||||
|
||||
Reference in New Issue
Block a user