From c80c4c472e61bc3f5ded1c47df1fecb5f48ffd01 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Wed, 16 May 2018 17:23:04 +0300 Subject: [PATCH] Additional rXSS fix / closes #1558 --- web/view/file/index.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/view/file/index.php b/web/view/file/index.php index aed9523d..e3e77249 100644 --- a/web/view/file/index.php +++ b/web/view/file/index.php @@ -13,10 +13,10 @@ if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) { } if (!empty($_REQUEST['path'])) { - $path = $_REQUEST['path']; + $path = htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8'); if (!empty($_REQUEST['raw'])) { header('content-type: image/jpeg'); - passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8'))); + passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($path)); exit; } }