EuskadiTech/Axia4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security issues in ¿Quién soy? flow

Browse Source 
Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-02-14 13:19:56 +00:00
parent 302992c10b
commit a3eeda2dc5
2 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
public_html/entreaulas/_filefetch.php
View File

@@ -7,9 +7,14 @@ header("Access-Control-Allow-Origin: *");
switch ($_GET["type"]) {
case "alumno_photo":
$centro = str_replace('..', '_', $_GET["centro"] ?? '');
$aulario = str_replace('..', '_', $_GET["aulario"] ?? '');
$alumno = str_replace('..', '_', $_GET["alumno"] ?? '');
$centro = basename($_GET["centro"] ?? '');
$aulario = basename($_GET["aulario"] ?? '');
$alumno = basename($_GET["alumno"] ?? '');
// Additional validation to prevent empty names
if (empty($centro) || empty($aulario) || empty($alumno)) {
header("HTTP/1.1 400 Bad Request");
die("Invalid parameters");
}
$relpath = "entreaulas/Centros/$centro/Aularios/$aulario/Alumnos/$alumno/photo.jpg";
break;
case "panel_actividades":