PMCORE-1191
This commit is contained in:
Andrea Adamczyk
@@ -27,10 +27,15 @@ if (isset($_GET["url"]) && $_GET["url"] != "") {
|
||||
}
|
||||
|
||||
if ($sysSys != "" && $sysLang != "" && $sysSkin != "") {
|
||||
if (count($url) > 4) {
|
||||
$urlLogin = $http . "://" . $host . "/sys" . $sysSys . "/" . $sysLang . "/" . $sysSkin . "/login/login" . "?url=" . implode("/", $url);
|
||||
$urlHome = $http . "://" . $host . "/sys" . $sysSys . "/" . $sysLang . "/" . $sysSkin . "/cases/main" . "?url=" . implode("/", $url);
|
||||
} else {
|
||||
$urlLogin = $http . "://" . $host . "/sys" . $sysSys . "/" . $sysLang . "/" . $sysSkin . "/login/login";
|
||||
$urlHome = $http . "://" . $host . "/sys" . $sysSys . "/" . $sysLang . "/" . $sysSkin . "/cases/main";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
<!DOCTYPE html>
|
||||
|
||||
@@ -46,7 +46,7 @@ if (empty($_GET['v'])) {
|
||||
//Send the parameter a = Case UID
|
||||
if ($RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION') && DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION == 0) {
|
||||
if (!$oAppDocument->canDownloadInput($_SESSION['USER_LOGGED'], $_GET['a'], $docVersion)) {
|
||||
G::header('Location: /errors/error403.php');
|
||||
G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
|
||||
die();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -53,20 +53,21 @@ if ($RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOC
|
||||
$sAppDocUid
|
||||
)
|
||||
) {
|
||||
G::header('Location: /errors/error403.php');
|
||||
G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
|
||||
die();
|
||||
}
|
||||
}
|
||||
|
||||
$docFileName = fixContentDispositionFilename($oAppDocument->getAppDocFilename());
|
||||
$info = pathinfo($docFileName);
|
||||
|
||||
if (!isset($_GET['ext'])) {
|
||||
$ext = $info['extension'];
|
||||
$ext = (!empty($info['extension'])) ? $info['extension']: 'pdf';
|
||||
} else {
|
||||
if ($_GET['ext'] != '') {
|
||||
$ext = $_GET['ext'];
|
||||
} else {
|
||||
$ext = $info['extension'];
|
||||
$ext = (!empty($info['extension'])) ? $info['extension']: 'pdf';
|
||||
}
|
||||
}
|
||||
$ver = (isset($_GET['v']) && $_GET['v'] != '') ? '_' . $_GET['v'] : '';
|
||||
|
||||
@@ -39,20 +39,40 @@ $aFields = array();
|
||||
|
||||
//Validated redirect url
|
||||
$aFields['URL'] = '';
|
||||
if (!empty($_GET['u'])) {
|
||||
if (!empty($_GET['u']) || !empty($_GET['url'])) {
|
||||
//clean url with protocols
|
||||
$flagUrl = true;
|
||||
//Most used protocols
|
||||
$protocols = ['https://', 'http://', 'ftp://', 'sftp://','smb://', 'file:', 'mailto:'];
|
||||
foreach ($protocols as $protocol) {
|
||||
if (!empty($_GET['u'])) {
|
||||
if (strpos($_GET['u'], $protocol) !== false) {
|
||||
$_GET['u'] = '';
|
||||
$flagUrl = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!empty($_GET['url'])) {
|
||||
if (strpos($_GET['url'], $protocol) !== false) {
|
||||
$_GET['url'] = '';
|
||||
$flagUrl = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($flagUrl) {
|
||||
if (!empty($_GET['u'])) {
|
||||
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
|
||||
} elseif (!empty($_GET['url'])) {
|
||||
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['url']))))));
|
||||
}
|
||||
//The following validations are only for the links to an output document
|
||||
if(!empty($_GET['v']) && (strpos($aFields['URL'], '/cases/cases_ShowOutputDocument') != false)) {
|
||||
$aFields['URL'] .= "&v=" . $_GET['v'];
|
||||
}
|
||||
if(!empty($_GET['ext']) && (strpos($aFields['URL'], '/cases/cases_ShowOutputDocument') != false)) {
|
||||
$aFields['URL'] .= "&ext=" . $_GET['ext'];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user