From 5e46a359e073a4eca38753579f3fd924723ede35 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 31 Jan 2019 10:16:49 +0100 Subject: [PATCH 1/2] FIX XSS --- htdocs/document.php | 2 +- htdocs/viewimage.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/document.php b/htdocs/document.php index 725d079a9f6..d912c9a2d55 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -77,7 +77,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $encoding = ''; $action=GETPOST('action','alpha'); -$original_file=GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP). +$original_file=GETPOST('file','alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $hashp=GETPOST('hashp','aZ09'); $modulepart=GETPOST('modulepart','alpha'); $urlsource=GETPOST('urlsource','alpha'); diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php index ae2a538ca04..17d5026c0bf 100644 --- a/htdocs/viewimage.php +++ b/htdocs/viewimage.php @@ -79,7 +79,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $action=GETPOST('action','alpha'); -$original_file=GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP). +$original_file=GETPOST('file','alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $hashp=GETPOST('hashp','aZ09'); $modulepart=GETPOST('modulepart','alpha'); $urlsource=GETPOST('urlsource','alpha'); From 484b4371c137bb57303451a44de2aa61a6a50cfe Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 31 Jan 2019 10:16:49 +0100 Subject: [PATCH 2/2] FIX XSS Conflicts: htdocs/viewimage.php --- htdocs/document.php | 2 +- htdocs/viewimage.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/document.php b/htdocs/document.php index 1c722e4cb55..ee8b9e9c096 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -81,7 +81,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $encoding = ''; $action=GETPOST('action','alpha'); -$original_file=GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP). +$original_file=GETPOST('file','alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $hashp=GETPOST('hashp','aZ09'); $modulepart=GETPOST('modulepart','alpha'); $urlsource=GETPOST('urlsource','alpha'); diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php index 7493ef6bee9..1053cc530c9 100644 --- a/htdocs/viewimage.php +++ b/htdocs/viewimage.php @@ -62,7 +62,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $action=GETPOST('action','alpha'); -$original_file=GETPOST("file",'alpha'); +$original_file=GETPOST('file','alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $modulepart=GETPOST('modulepart','alpha'); $urlsource=GETPOST("urlsource",'alpha'); $entity=GETPOST('entity','int')?GETPOST('entity','int'):$conf->entity;