fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-3920 Unauthenticated calling of may Ajax pages with tracker_designer=1 (URL INJECTION)

Browse Source 
- Add validation in sysGeneric with session PIN and CASE
This commit is contained in:
Marco Antonio Nina Mena
2017-10-11 12:56:52 -04:00
parent 0fc897e90a
commit f8300900b5
2 changed files with 21 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
workflow/engine/controllers/admin.php
View File

@@ -196,15 +196,20 @@ class Admin extends Controller
$this->render('extJs');
}
function getSystemInfo ()
public function getSystemInfo()
{
$this->setResponseType( 'json' );
$infoList = $this->_getSystemInfo();
$data = array ();
global $RBAC;
$RBAC->requirePermissions('PM_SETUP');
foreach ($infoList as $row) {
$data[] = array ('label' => $row[0],'value' => $row[1],'section' => $row[2]
);
$this->setResponseType('json');
$data = [];
foreach ($this->_getSystemInfo() as $row) {
$data[] = [
'label' => $row[0],
'value' => $row[1],
'section' => $row[2]
];
}
return $data;
}