Uploads: add sanitization

fixes xibosignage/xibo#3392
xibosignage · Mar 25, 2024 · e4046d8 · e4046d8
1 parent 5cea948
commit e4046d8
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 8 deletions.
diff --git a/lib/Controller/Library.php b/lib/Controller/Library.php
@@ -2489,7 +2489,7 @@ public function uploadFromUrl(Request $request, Response $response)
         }
 
         // if we were provided with optional Media name set it here, otherwise get it from download info
-        $name = empty($optionalName) ? $downloadInfo['filename'] : $optionalName;
+        $name = empty($optionalName) ? htmlspecialchars($downloadInfo['filename']) : $optionalName;
 
         // double check that provided Module Type and Extension are valid
         if (!Str::contains($module->getSetting('validExtensions'), $ext)) {

diff --git a/lib/Entity/Media.php b/lib/Entity/Media.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2023 Xibo Signage Ltd
+ * Copyright (C) 2024 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -575,6 +575,9 @@ private function add()
             $fileName = substr(basename($fileName), 0, strpos(basename($fileName), '?'));
         }
 
+        // Sanitize what we have left.
+        $fileName = htmlspecialchars($fileName);
+
         $this->mediaId = $this->getStore()->insert('
             INSERT INTO `media` (`name`, `type`, duration, originalFilename, userID, retired, moduleSystemFile, released, apiRef, valid, `createdDt`, `modifiedDt`, `enableStat`, `folderId`, `permissionsFolderId`, `orientation`, `width`, `height`)
               VALUES (:name, :type, :duration, :originalFileName, :userId, :retired, :moduleSystemFile, :released, :apiRef, :valid, :createdDt, :modifiedDt, :enableStat, :folderId, :permissionsFolderId, :orientation, :width, :height)

diff --git a/lib/Helper/LayoutUploadHandler.php b/lib/Helper/LayoutUploadHandler.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2023 Xibo Signage Ltd
+ * Copyright (C) 2024 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -60,9 +60,9 @@ protected function handle_form_data($file, $index)
             $params = $sanitizerService->getSanitizer($_REQUEST);
 
             // Parse parameters
-            $name = $params->getArray('name')[$index];
+            $name = htmlspecialchars($params->getArray('name')[$index]);
             $tags = $controller->getUser()->featureEnabled('tag.tagging')
-                ? $params->getArray('tags')[$index]
+                ? htmlspecialchars($params->getArray('tags')[$index])
                 : '';
             $template = $params->getCheckbox('template', ['default' => 0]);
             $replaceExisting = $params->getCheckbox('replaceExisting', ['default' => 0]);

diff --git a/lib/Helper/XiboUploadHandler.php b/lib/Helper/XiboUploadHandler.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2023 Xibo Signage Ltd
+ * Copyright (C) 2024 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -74,9 +74,9 @@ protected function handle_form_data($file, $index)
             $controller->getUser()->isQuotaFullByUser(true);
 
             // Get some parameters
-            $name = $this->getParam($index, 'name', $fileName);
+            $name = htmlspecialchars($this->getParam($index, 'name', $fileName));
             $tags = $controller->getUser()->featureEnabled('tag.tagging')
-                ? $this->getParam($index, 'tags', '')
+                ? htmlspecialchars($this->getParam($index, 'tags', ''))
                 : '';
 
             // Guess the type