fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PMCORE-1191

Browse Source
This commit is contained in:
Andrea Adamczyk
2020-04-08 15:58:19 -04:00
parent e5f455fff3
commit fd1694fd2e
4 changed files with 38 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
workflow/engine/methods/cases/cases_ShowDocument.php
View File

@@ -46,7 +46,7 @@ if (empty($_GET['v'])) {
//Send the parameter a = Case UID
if ($RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION') && DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION == 0) {
if (!$oAppDocument->canDownloadInput($_SESSION['USER_LOGGED'], $_GET['a'], $docVersion)) {
G::header('Location: /errors/error403.php');
G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
die();
}
}

7
workflow/engine/methods/cases/cases_ShowOutputDocument.php
View File

@@ -53,20 +53,21 @@ if ($RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOC
$sAppDocUid
)
) {
G::header('Location: /errors/error403.php');
G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
die();
}
}
$docFileName = fixContentDispositionFilename($oAppDocument->getAppDocFilename());
$info = pathinfo($docFileName);
if (!isset($_GET['ext'])) {
$ext = $info['extension'];
$ext = (!empty($info['extension'])) ? $info['extension']: 'pdf';
} else {
if ($_GET['ext'] != '') {
$ext = $_GET['ext'];
} else {
$ext = $info['extension'];
$ext = (!empty($info['extension'])) ? $info['extension']: 'pdf';
}
}
$ver = (isset($_GET['v']) && $_GET['v'] != '') ? '_' . $_GET['v'] : '';

32
workflow/engine/methods/login/login.php
View File

@@ -39,20 +39,40 @@ $aFields = array();
//Validated redirect url
$aFields['URL'] = '';
if (!empty($_GET['u'])) {
if (!empty($_GET['u']) || !empty($_GET['url'])) {
//clean url with protocols
$flagUrl = true;
//Most used protocols
$protocols = ['https://', 'http://', 'ftp://', 'sftp://','smb://', 'file:', 'mailto:'];
foreach ($protocols as $protocol) {
if (strpos($_GET['u'], $protocol) !== false) {
$_GET['u'] = '';
$flagUrl = false;
break;
if (!empty($_GET['u'])) {
if (strpos($_GET['u'], $protocol) !== false) {
$_GET['u'] = '';
$flagUrl = false;
break;
}
}
if (!empty($_GET['url'])) {
if (strpos($_GET['url'], $protocol) !== false) {
$_GET['url'] = '';
$flagUrl = false;
break;
}
}
}
if ($flagUrl) {
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
if (!empty($_GET['u'])) {
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
} elseif (!empty($_GET['url'])) {
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['url']))))));
}
//The following validations are only for the links to an output document
if(!empty($_GET['v']) && (strpos($aFields['URL'], '/cases/cases_ShowOutputDocument') != false)) {
$aFields['URL'] .= "&v=" . $_GET['v'];
}
if(!empty($_GET['ext']) && (strpos($aFields['URL'], '/cases/cases_ShowOutputDocument') != false)) {
$aFields['URL'] .= "&ext=" . $_GET['ext'];
}
}
}