From f8300900b5898a6ba3218215fd91b3ef176070fe Mon Sep 17 00:00:00 2001
From: Marco Antonio Nina Mena <marco.antonio.nina@processmaker.com>
Date: Wed, 11 Oct 2017 12:56:52 -0400
Subject: [PATCH] HOR-3920 Unauthenticated calling of may Ajax pages with
 tracker_designer=1 (URL INJECTION)

- Add validation in sysGeneric with session PIN and CASE
---
 workflow/engine/controllers/admin.php | 19 ++++++++++++-------
 workflow/public_html/sysGeneric.php   | 16 +++++++++-------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/workflow/engine/controllers/admin.php b/workflow/engine/controllers/admin.php
index aa87d89ca..76871c03e 100644
--- a/workflow/engine/controllers/admin.php
+++ b/workflow/engine/controllers/admin.php
@@ -196,15 +196,20 @@ class Admin extends Controller
         $this->render('extJs');
     }
 
-    function getSystemInfo ()
+    public function getSystemInfo()
     {
-        $this->setResponseType( 'json' );
-        $infoList = $this->_getSystemInfo();
-        $data = array ();
+        global $RBAC;
+        $RBAC->requirePermissions('PM_SETUP');
 
-        foreach ($infoList as $row) {
-            $data[] = array ('label' => $row[0],'value' => $row[1],'section' => $row[2]
-            );
+        $this->setResponseType('json');
+        $data = [];
+
+        foreach ($this->_getSystemInfo() as $row) {
+            $data[] = [
+                'label' => $row[0],
+                'value' => $row[1],
+                'section' => $row[2]
+            ];
         }
         return $data;
     }
diff --git a/workflow/public_html/sysGeneric.php b/workflow/public_html/sysGeneric.php
index d61fbc598..f0c0503d3 100644
--- a/workflow/public_html/sysGeneric.php
+++ b/workflow/public_html/sysGeneric.php
@@ -999,23 +999,25 @@ if (! defined( 'EXECUTE_BY_CRON' )) {
                 }
             }
 
-            if ($bRedirect && !isset($_GET["tracker_designer"])) {
-                if (substr( SYS_SKIN, 0, 2 ) == 'ux' && SYS_SKIN != 'uxs') { // verify if the current skin is a 'ux' variant
+            if ($bRedirect &&
+                (!isset($_GET['tracker_designer']) || (!isset($_SESSION['CASE']) && !isset($_SESSION['PIN']))) &&
+                $_GET['tracker_designer'] !== 1) {
+                if (substr(SYS_SKIN, 0, 2) === 'ux' && SYS_SKIN !== 'uxs') { // verify if the current skin is a 'ux' variant
                     $loginUrl = 'main/login';
-                } else if (strpos( $_SERVER['REQUEST_URI'], '/home' ) !== false) { //verify is it is using the uxs skin for simplified interface
+                } else if (strpos($_SERVER['REQUEST_URI'], '/home') !== false) { //verify is it is using the uxs skin for simplified interface
                     $loginUrl = 'home/login';
                 } else {
                     $loginUrl = 'login/login'; // just set up the classic login
                 }
 
-                if (empty( $_POST )) {
-                    header( 'location: ' . SYS_URI . $loginUrl . '?u=' . urlencode( $_SERVER['REQUEST_URI'] ) );
+                if (empty($_POST)) {
+                    header('location: ' . SYS_URI . $loginUrl . '?u=' . urlencode($_SERVER['REQUEST_URI']));
 
                 } else {
                     if ($isControllerCall) {
-                        header( "HTTP/1.0 302 session lost in controller" );
+                        header("HTTP/1.0 302 session lost in controller");
                     } else {
-                        header( 'location: ' . SYS_URI . $loginUrl );
+                        header('location: ' . SYS_URI . $loginUrl);
                     }
                 }
                 die();