From f4fe71a7fec4baffd2cda9908f5a9b3eaff011c4 Mon Sep 17 00:00:00 2001 From: bafbes Date: Sat, 18 Apr 2015 20:59:00 +0100 Subject: [PATCH 1/2] Update filefunc.inc.php --- htdocs/filefunc.inc.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 48d662774ae..13b2d8d1669 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -8,6 +8,7 @@ * Copyright (C) 2005 Simon Tosser * Copyright (C) 2006 Andre Cianfarani * Copyright (C) 2010 Juanjo Menent + * Copyright (C) 2015 Bahfir Abbes * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by From a8f60a5c183788d3921b309d707be59b4742e840 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?= Date: Sat, 18 Apr 2015 22:11:11 +0200 Subject: [PATCH 2/2] Revert "Sanitize for security." This reverts commit 1598a5d3a6a27ce44d7d8d73583d07c96776fe5d. --- htdocs/filefunc.inc.php | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 07ae3919f57..48d662774ae 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -66,15 +66,12 @@ $conffiletoshow = "htdocs/conf/conf.php"; //$conffile = "/etc/dolibarr/conf.php"; //$conffiletoshow = "/etc/dolibarr/conf.php"; -// Replace conf filename with "conf" parameter on url by GET -if (GETPOST('conf')) -{ - setcookie('dolconf', GETPOST('conf'),0,'/'); - $conffile = 'conf/' . dol_sanitizeFileName(GETPOST('conf')) . '.php'; -} -else -{ - $conffile = 'conf/' . dol_sanitizeFileName((!empty($_COOKIE['dolconf']) ? $_COOKIE['dolconf'] : 'conf') . '.php'); +//replace conf filename with "conf" parameter on url by GET +if (!empty($_GET['conf'])) { + setcookie('dolconf', $_GET['conf'],0,'/'); + $conffile = 'conf/' . $_GET['conf'] . '.php'; +} else { + $conffile = 'conf/' . (!empty($_COOKIE['dolconf']) ? $_COOKIE['dolconf'] : 'conf') . '.php'; }