EuskadiTech/Axia4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security improvements: fix permissions, add file validation, improve error handling

Browse Source 
Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-31 19:29:49 +00:00
parent eb6d23acf8
commit 568640539b
2 changed files with 41 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
public_html/entreaulas/_filefetch.php
View File

@@ -24,6 +24,18 @@ switch ($_GET["type"]) {
$day = substr($date, 8, 2);
$relpath = "entreaulas/Centros/$centro/Aularios/$aulario/Comedor/$ym/$day/$file";
break;
case "proyecto_file":
$centro = str_replace('..', '_', $_GET["centro"] ?? '');
$aulario = str_replace('..', '_', $_GET["aulario"] ?? '');
$project = str_replace('..', '_', $_GET["project"] ?? '');
$file = basename($_GET["file"] ?? '');
// Ensure no directory traversal
if (strpos($file, '..') !== false || strpos($file, '/') !== false || strpos($file, '\\') !== false) {
header("HTTP/1.1 400 Bad Request");
die("Invalid file name");
}
$relpath = "entreaulas/Centros/$centro/Aularios/$aulario/Proyectos/$project/$file";
break;
}
$path = "/DATA/$relpath";
$uripath = "/$relpath";