Fixed issue: Potential security issue in kcfinder fixed

LimeSurvey · Aug 22, 2018 · ff4c14d · ff4c14d · Shnoulle · Aug 27, 2018
1 parent bfa334c
commit ff4c14d
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/third_party/kcfinder/core/bootstrap.php b/third_party/kcfinder/core/bootstrap.php
@@ -32,11 +32,12 @@
 
 
 // CMS INTEGRATION
-if (isset($_GET['cms']) &&
-    (basename($_GET['cms']) == $_GET['cms']) &&
-    is_file("integration/{$_GET['cms']}.php")
-)
-    require "integration/{$_GET['cms']}.php";
+// Possible files -> drupal, BolmerCMS
+if(isset($_GET['cms']) && (basename($cmsFile) == $cmsFile) && preg_match("/drupal|BolmerCMS/", $_GET['cms'])){
+    $cmsFile = basename($_GET['cms']);
+    if (is_file("integration/{$cmsFile}.php") )
+        require "integration/{$cmsFile}.php";
+}
 
 
 // REGISTER AUTOLOAD FUNCTION