Skip to content

Commit c2aa7a7

Browse files
orthaghtrasher
authored andcommitted
avoid xss attack on user picture
1 parent 6189eee commit c2aa7a7

File tree

1 file changed

+17
-0
lines changed

1 file changed

+17
-0
lines changed

Diff for: inc/user.class.php

+17
Original file line numberDiff line numberDiff line change
@@ -550,6 +550,11 @@ function prepareInputForAdd($input) {
550550
return false;
551551
}
552552

553+
// avoid xss (picture field is autogenerated)
554+
if (isset($input['picture'])) {
555+
$input['picture'] = 'NULL';
556+
}
557+
553558
if (!isset($input["authtype"])) {
554559
$input["authtype"] = Auth::DB_GLPI;
555560
}
@@ -681,6 +686,11 @@ function post_addItem() {
681686
function prepareInputForUpdate($input) {
682687
global $CFG_GLPI;
683688

689+
// avoid xss (picture field is autogenerated)
690+
if (isset($input['picture'])) {
691+
$input['picture'] = 'NULL';
692+
}
693+
684694
//picture manually uploaded by user
685695
if (isset($input["_blank_picture"]) && $input["_blank_picture"]) {
686696
self::dropPictureFiles($this->fields['picture']);
@@ -2004,6 +2014,7 @@ function showForm($ID, array $options = []) {
20042014
}
20052015

20062016
if (!empty($this->fields["name"])) {
2017+
20072018
echo "<td rowspan='4'>" . __('Picture') . "</td>";
20082019
echo "<td rowspan='4'>";
20092020
echo "<div class='user_picture_border_small' id='picture$rand'>";
@@ -4853,6 +4864,9 @@ static function checkDefaultPasswords() {
48534864
static function getURLForPicture($picture) {
48544865
global $CFG_GLPI;
48554866

4867+
// prevent xss
4868+
$picture = Html::cleanInputText($picture);
4869+
48564870
if (!empty($picture)) {
48574871
return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture";
48584872
}
@@ -4872,6 +4886,9 @@ static function getURLForPicture($picture) {
48724886
static function getThumbnailURLForPicture($picture) {
48734887
global $CFG_GLPI;
48744888

4889+
// prevent xss
4890+
$picture = Html::cleanInputText($picture);
4891+
48754892
if (!empty($picture)) {
48764893
$tmp = explode(".", $picture);
48774894
if (count($tmp) ==2) {

0 commit comments

Comments
 (0)