Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] lfi via custom terms file setting, as reported by Ian…
…is BERNARD - NATO Cyber Security Centre
  • Loading branch information
righel committed Mar 17, 2022
1 parent 1b5edc9 commit 8cc9368
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app/View/Users/terms.ctp
Expand Up @@ -5,7 +5,8 @@
if (!Configure::read('MISP.terms_file')) {
$termsFile = APP ."View/Users/terms";
} else {
$termsFile = APP . 'files' . DS . 'terms' . DS . Configure::read('MISP.terms_file');
$customTermsFile = basename(realpath(Configure::read('MISP.terms_file')));
$termsFile = APP . 'files' . DS . 'terms' . DS . $customTermsFile;
}
if (!(file_exists($termsFile))) {
echo "<p>" . __("Terms and Conditions file not found.") . "</p>";
Expand Down

0 comments on commit 8cc9368

Please sign in to comment.