projects
/
fa-stable.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
0057896
)
[0005198] Attach Documents: constrained attachemnt file types to avoid XSS using...
author
Janusz Dobrowolski
<janusz@frontaccounting.eu>
Sun, 27 Sep 2020 14:18:47 +0000
(16:18 +0200)
committer
Janusz Dobrowolski
<janusz@frontaccounting.eu>
Sun, 27 Sep 2020 14:18:47 +0000
(16:18 +0200)
admin/attachments.php
patch
|
blob
|
history
diff --git
a/admin/attachments.php
b/admin/attachments.php
index d3f491ace3a08898d022d6509f03ee07749e068c..7e6ba95545251f3ddb379ce47e46652369ab6897 100644
(file)
--- a/
admin/attachments.php
+++ b/
admin/attachments.php
@@
-83,7
+83,10
@@
if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
$filename = basename($_FILES['filename']['name']);
if (!transaction_exists($_POST['filterType'], $_POST['trans_no']))
display_error(_("Selected transaction does not exists."));
$filename = basename($_FILES['filename']['name']);
if (!transaction_exists($_POST['filterType'], $_POST['trans_no']))
display_error(_("Selected transaction does not exists."));
- elseif ($Mode == 'ADD_ITEM' && !isset($_FILES['filename']))
+ elseif ($Mode == 'ADD_ITEM' && !in_array(strtoupper(substr($filename, strlen($filename) - 3)), array('JPG','PNG','GIF', 'PDF', 'DOC', 'ODT')))
+ {
+ display_error(_('Only graphics,pdf,doc and odt files are supported.'));
+ } elseif ($Mode == 'ADD_ITEM' && !isset($_FILES['filename']))
display_error(_("Select attachment file."));
elseif ($Mode == 'ADD_ITEM' && ($_FILES['filename']['error'] > 0)) {
if ($_FILES['filename']['error'] == UPLOAD_ERR_INI_SIZE)
display_error(_("Select attachment file."));
elseif ($Mode == 'ADD_ITEM' && ($_FILES['filename']['error'] > 0)) {
if ($_FILES['filename']['error'] == UPLOAD_ERR_INI_SIZE)