From a88938ace458ca62d0db62fe0cca0b2ad14b4f15 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 3 Oct 2017 17:08:16 +0200 Subject: [PATCH] Fix: use GETPOST --- htdocs/admin/security_file.php | 16 ++++++++-------- htdocs/core/class/antivir.class.php | 3 +-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 161ef427265..3e66e0ba541 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -1,7 +1,7 @@ - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2013 Juanjo Menent +/* Copyright (C) 2004-2017 Laurent Destailleur + * Copyright (C) 2005-2017 Regis Houssin + * Copyright (C) 2013 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -54,7 +54,7 @@ if (GETPOST('sendit') && ! empty($conf->global->MAIN_UPLOAD_DOC)) if (preg_match('/set_(.*)/',$action,$reg)) { $code=$reg[1]; - $value=(GETPOST($code) ? GETPOST($code) : 1); + $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) { Header("Location: ".$_SERVER["PHP_SELF"]); @@ -82,10 +82,10 @@ else if (preg_match('/del_(.*)/',$action,$reg)) else if ($action == 'updateform') { - $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',$_POST["MAIN_UPLOAD_DOC"],'chaine',0,'',$conf->entity); - $res4=dolibarr_set_const($db, "MAIN_UMASK", $_POST["MAIN_UMASK"],'chaine',0,'',$conf->entity); - $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", $_POST["MAIN_ANTIVIRUS_COMMAND"],'chaine',0,'',$conf->entity); - $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", $_POST["MAIN_ANTIVIRUS_PARAM"],'chaine',0,'',$conf->entity); + $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','int'),'chaine',0,'',$conf->entity); + $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','int'),'chaine',0,'',$conf->entity); + $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", GETPOST('MAIN_ANTIVIRUS_COMMAND','alpha'),'chaine',0,'',$conf->entity); + $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", GETPOST('MAIN_ANTIVIRUS_PARAM','alpha'),'chaine',0,'',$conf->entity); if ($res3 && $res4 && $res5 && $res6) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); } diff --git a/htdocs/core/class/antivir.class.php b/htdocs/core/class/antivir.class.php index 7fa7d866489..b5f4f0e5539 100644 --- a/htdocs/core/class/antivir.class.php +++ b/htdocs/core/class/antivir.class.php @@ -160,8 +160,7 @@ class AntiVir if (! preg_match('/%file/',$conf->global->MAIN_ANTIVIRUS_PARAM)) $param=$param." ".escapeshellarg(trim($file)); - //if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. - if (preg_match("/\s/",$command)) $command=escapeshellcmd($command); // Use quotes on command. Using escapeshellarg fails. + if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. $ret=$command.' '.$param; //$ret=$command.' '.$param.' 2>&1';