From 5a4c35d6c88f2dfc0b9bcf4aaa0b2fe61380856b Mon Sep 17 00:00:00 2001
From: Roly Gutierrez <roly.gutierrez@processmaker.com>
Date: Tue, 15 Nov 2022 12:07:29 -0400
Subject: [PATCH] PMCORE-4042 Reflected Cross-Site Scripting (XSS)

---
 workflow/engine/methods/setup/showLogoFile.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/workflow/engine/methods/setup/showLogoFile.php b/workflow/engine/methods/setup/showLogoFile.php
index 756d08500..183c7e160 100644
--- a/workflow/engine/methods/setup/showLogoFile.php
+++ b/workflow/engine/methods/setup/showLogoFile.php
@@ -62,16 +62,21 @@ if (is_file( $imagen )) {
     //cpyMoreLogos($dir,$newDir);
     $newDir .= PATH_SEP . $idDecode64;
     $dir .= PATH_SEP . $idDecode64;
-    copy( $dir, $newDir );
-    showLogo( $newDir );
+    if (file_exists($dir)) {
+        copy($dir, $newDir);
+        showLogo( $newDir );
+    }
     die();
 
 }
 
 function showLogo ($imagen)
 {
-    $info = @getimagesize( $imagen );
-    $fp = fopen( $imagen, "rb" );
+    $fp = null;
+    if (file_exists($imagen)) {
+        $fp = fopen($imagen, "rb");
+        $info = @getimagesize($imagen);
+    }
     if ($info && $fp) {
         header( "Content-type: {$info['mime']}" );
         fpassthru( $fp );