From 01a83d417ca62990f77f050dbb37539cc567e909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= Date: Wed, 20 Oct 2021 23:09:40 +0200 Subject: [PATCH] File name not properly checked against XSS #1116 --- adm_program/system/bootstrap/function.php | 1 - adm_program/system/classes/StringUtils.php | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/adm_program/system/bootstrap/function.php b/adm_program/system/bootstrap/function.php index ae8f0c638..ac8c48e22 100644 --- a/adm_program/system/bootstrap/function.php +++ b/adm_program/system/bootstrap/function.php @@ -392,7 +392,6 @@ function admFuncVariableIsValid(array $array, $variableName, $datatype, array $o { if ($value !== '') { - $value = StringUtils::strStripTags(urldecode($value)); StringUtils::strIsValidFileName($value, false); } } diff --git a/adm_program/system/classes/StringUtils.php b/adm_program/system/classes/StringUtils.php index 1f916c245..9dd0b2795 100644 --- a/adm_program/system/classes/StringUtils.php +++ b/adm_program/system/classes/StringUtils.php @@ -239,7 +239,7 @@ public static function strIsValidFileName($filename, $checkExtension = true) (!self::strValidCharacters($filename, 'folder') && !$checkExtension) ) { - throw new AdmException('SYS_FILENAME_INVALID', array($filename)); + throw new AdmException('SYS_FILENAME_INVALID', array(StringUtils::strStripTags($filename))); } if ($checkExtension)