Skip to content
Permalink
Browse files Browse the repository at this point in the history
security fix
  • Loading branch information
bradymiller committed Jun 29, 2017
1 parent 4af4061 commit b8963a5
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 21 deletions.
1 change: 1 addition & 0 deletions library/edihistory/edih_csv_inc.php
Expand Up @@ -134,6 +134,7 @@ function csv_edihist_log ( $msg_str ) {
* @return string
*/
function csv_log_html($logname='') {
check_file_dir_name($logname);
$html_str = "<div class='filetext'>".PHP_EOL."<ol class='logview'>".PHP_EOL;
$fp = csv_edih_basedir().DS.'log'.DS.$logname;
if ( is_file($fp) ) {
Expand Down
35 changes: 14 additions & 21 deletions library/sanitize.inc.php
Expand Up @@ -2,30 +2,23 @@
/**
* Function to check and/or sanitize things for security such as
* directories names, file names, etc.
*
* Copyright (C) 2012 by following Brady Miller <brady.g.miller@gmail.com>
*
* LICENSE: This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 3
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
*
* @package OpenEMR
* @author Brady Miller <brady.g.miller@gmail.com>
* @author Roberto Vasquez <robertogagliotta@gmail.com>
* @author Shachar Zilbershlag <shaharzi@matrix.co.il>
* @link http://www.open-emr.org
*/
*
* @package OpenEMR
* @link http://www.open-emr.org
* @author Brady Miller <brady.g.miller@gmail.com>
* @author Roberto Vasquez <robertogagliotta@gmail.com>
* @author Shachar Zilbershlag <shaharzi@matrix.co.il>
* @copyright Copyright (c) 2012-2017 Brady Miller <brady.g.miller@gmail.com>
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/


// If the label contains any illegal characters, then the script will die.
function check_file_dir_name($label) {
if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label))
if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
error_log("ERROR: The following variable contains invalid characters:" . $label);
die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
}
}

// Convert all illegal characters to _
Expand Down

0 comments on commit b8963a5

Please sign in to comment.