diff --git a/config/version.php b/config/version.php
index 65018201927f..56fa899c621b 100644
--- a/config/version.php
+++ b/config/version.php
@@ -1,7 +1,7 @@
'6.4.270',
- 'patchVersion' => '2023.07.14',
+ 'appVersion' => '6.4.271',
+ 'patchVersion' => '2023.07.17',
'lib_roundcube' => '0.3.4',
];
diff --git a/layouts/basic/modules/Settings/Dependencies/LibraryMoreInfo.tpl b/layouts/basic/modules/Settings/Dependencies/LibraryMoreInfo.tpl
index d2355deb27de..30a1a63e92b5 100644
--- a/layouts/basic/modules/Settings/Dependencies/LibraryMoreInfo.tpl
+++ b/layouts/basic/modules/Settings/Dependencies/LibraryMoreInfo.tpl
@@ -13,7 +13,7 @@
{if $RESULT}
- {$FILE_CONTENT}
+ {$FILE_CONTENT|escape}
{else}
diff --git a/modules/Settings/Dependencies/views/LibraryLicense.php b/modules/Settings/Dependencies/views/LibraryLicense.php
index dded5e7247e2..a44542c42d53 100644
--- a/modules/Settings/Dependencies/views/LibraryLicense.php
+++ b/modules/Settings/Dependencies/views/LibraryLicense.php
@@ -8,6 +8,7 @@
* @copyright YetiForce S.A.
* @license YetiForce Public License 5.0 (licenses/LicenseEN.txt or yetiforce.com)
* @author Adrian Koń
+ * @author Radosław Skrzypczak
*/
class Settings_Dependencies_LibraryLicense_View extends Settings_Vtiger_BasicModal_View
{
@@ -36,8 +37,8 @@ public function process(App\Request $request)
$result = false;
} else {
$dir = ROOT_DIRECTORY . DIRECTORY_SEPARATOR . 'licenses' . DIRECTORY_SEPARATOR;
- $filePath = $dir . $request->getByType('license', 'Text') . '.txt';
- if (file_exists($filePath)) {
+ $filePath = $dir . $request->getByType('license', \App\Purifier::PATH) . '.txt';
+ if (file_exists($filePath) && \App\Fields\File::isAllowedFileDirectory($filePath)) {
$result = true;
$fileContent = file_get_contents($filePath);
} else {
diff --git a/modules/Settings/Dependencies/views/LibraryMoreInfo.php b/modules/Settings/Dependencies/views/LibraryMoreInfo.php
index 02e02d910087..34e05eb3f014 100644
--- a/modules/Settings/Dependencies/views/LibraryMoreInfo.php
+++ b/modules/Settings/Dependencies/views/LibraryMoreInfo.php
@@ -8,6 +8,7 @@
* @copyright YetiForce S.A.
* @license YetiForce Public License 5.0 (licenses/LicenseEN.txt or yetiforce.com)
* @author Adrian Koń
+ * @author Radosław Skrzypczak
*/
class Settings_Dependencies_LibraryMoreInfo_View extends Settings_Vtiger_BasicModal_View
{
@@ -23,34 +24,25 @@ public function process(App\Request $request)
{
$result = false;
$fileContent = '';
- if ($request->isEmpty('type') || $request->isEmpty('libraryName')) {
- $result = false;
- } else {
- if ('public' === $request->getByType('type', 1)) {
+ if (!$request->isEmpty('type') && !$request->isEmpty('libraryName')) {
+ $type = $request->getByType('type', \App\Purifier::STANDARD);
+ if ('public' === $type) {
$dir = ROOT_DIRECTORY . DIRECTORY_SEPARATOR . 'public_html' . DIRECTORY_SEPARATOR . 'libraries' . DIRECTORY_SEPARATOR;
- $libraryName = $request->getByType('libraryName', 'Text');
+ $libraryName = $request->getByType('libraryName', \App\Purifier::PATH);
foreach ($this->packageFiles as $file) {
$packageFile = $dir . $libraryName . DIRECTORY_SEPARATOR . $file;
- if ($fileContent) {
- continue;
- }
- if (file_exists($packageFile)) {
+ if (file_exists($packageFile) && \App\Fields\File::isAllowedFileDirectory($packageFile)) {
$fileContent = file_get_contents($packageFile);
$result = true;
- } else {
- $result = false;
+ break;
}
}
- } elseif ('vendor' === $request->getByType('type', 1)) {
- $filePath = 'vendor' . DIRECTORY_SEPARATOR . $request->getByType('libraryName', 'Text') . DIRECTORY_SEPARATOR . 'composer.json';
- if (file_exists($filePath)) {
+ } elseif ('vendor' === $type) {
+ $filePath = ROOT_DIRECTORY . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . $request->getByType('libraryName', \App\Purifier::PATH) . DIRECTORY_SEPARATOR . 'composer.json';
+ if (file_exists($filePath) && \App\Fields\File::isAllowedFileDirectory($filePath)) {
$fileContent = file_get_contents($filePath);
$result = true;
- } else {
- $result = false;
}
- } else {
- $result = false;
}
}
$this->preProcess($request);