Address code review findings - add username validation and fix edge cases
Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -116,7 +116,12 @@ function safe_filename($name)
|
||||
$parts = explode('.', $name);
|
||||
$ext = array_pop($parts);
|
||||
$base = implode('_', $parts);
|
||||
$name = ($base === '' ? 'file' : $base) . '.' . $ext;
|
||||
// Ensure extension is not empty
|
||||
if ($ext === '') {
|
||||
$name = $base === '' ? 'file' : $base;
|
||||
} else {
|
||||
$name = ($base === '' ? 'file' : $base) . '.' . $ext;
|
||||
}
|
||||
}
|
||||
return $name;
|
||||
}
|
||||
|
||||
@@ -10,9 +10,10 @@ if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
|
||||
$aulario_id = Sf($_GET["aulario"] ?? "");
|
||||
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
||||
|
||||
// Sanitize and validate centro_id to prevent directory traversal
|
||||
// Sanitize and validate centro_id and aulario_id to prevent directory traversal
|
||||
$centro_id = safe_filename($centro_id);
|
||||
if ($aulario_id === "" || $centro_id === "" || strpos($centro_id, '..') !== false) {
|
||||
$aulario_id = safe_filename($aulario_id);
|
||||
if ($aulario_id === "" || $centro_id === "" || strpos($centro_id, '..') !== false || strpos($aulario_id, '..') !== false) {
|
||||
require_once "_incl/pre-body.php";
|
||||
?>
|
||||
<div class="card pad">
|
||||
|
||||
@@ -7,6 +7,11 @@ switch ($_GET['form'] ?? '') {
|
||||
if (empty($username)) {
|
||||
die("Nombre de usuario no proporcionado.");
|
||||
}
|
||||
// Validate username to prevent directory traversal
|
||||
$username = basename($username);
|
||||
if (preg_match('/[^a-zA-Z0-9._-]/', $username) || strpos($username, '..') !== false) {
|
||||
die("Nombre de usuario inválido.");
|
||||
}
|
||||
$user_file = "/DATA/Usuarios/$username.json";
|
||||
$userdata_old = [];
|
||||
if (is_readable($user_file)) {
|
||||
@@ -115,11 +120,16 @@ switch ($_GET['action'] ?? '') {
|
||||
case 'edit':
|
||||
require_once "_incl/pre-body.php";
|
||||
$username = Sf($_GET['user'] ?? '');
|
||||
$userFile = "/DATA/Usuarios/$username.json";
|
||||
if (!file_exists($userFile) || !is_readable($userFile)) {
|
||||
// Validate username to prevent directory traversal
|
||||
$username = basename($username);
|
||||
if (preg_match('/[^a-zA-Z0-9._-]/', $username) || strpos($username, '..') !== false) {
|
||||
die("Nombre de usuario inválido.");
|
||||
}
|
||||
$user_file = "/DATA/Usuarios/$username.json";
|
||||
if (!file_exists($user_file) || !is_readable($user_file)) {
|
||||
die("Usuario no encontrado o datos no disponibles.");
|
||||
}
|
||||
$userdata = json_decode(file_get_contents($userFile), true) ?? [];
|
||||
$userdata = json_decode(file_get_contents($user_file), true) ?? [];
|
||||
?>
|
||||
<form method="post" action="?form=save_edit">
|
||||
<div class="card pad">
|
||||
|
||||
Reference in New Issue
Block a user