Sanitized the data read from the ini file to avoid security problems.

------ Saneados los datos leídos del archivo ini para evitar problemas de seguridad.
NeoRazorX · Apr 27, 2022 · aa9f28c · aa9f28c
1 parent fad9cc6
commit aa9f28c
Showing 1 changed file with 19 additions and 14 deletions.
diff --git a/Core/Base/PluginManager.php b/Core/Base/PluginManager.php
@@ -380,27 +380,32 @@ private function getPluginInfo(string $pluginName, string $iniContent): array
             'require' => [],
             'version' => 1
         ];
-
         $ini = parse_ini_string($iniContent);
-        if ($ini !== false) {
-            foreach (['name', 'version', 'description', 'min_version'] as $key) {
-                $info[$key] = $ini[$key] ?? $info[$key];
-            }
+        if ($ini === false) {
+            return $info;
+        }
 
-            if (isset($ini['require'])) {
-                $info['require'] = explode(',', $ini['require']);
-            }
+        $info['name'] = strip_tags($ini['name'] ?? $info['name']);
+        $info['version'] = floatval($ini['version'] ?? $info['version']);
+        $info['description'] = strip_tags($ini['description'] ?? $info['description']);
+        $info['min_version'] = floatval($ini['min_version'] ?? $info['min_version']);
 
-            if ($info['min_version'] >= 2018 && $info['min_version'] <= self::CORE_VERSION) {
-                $info['compatible'] = true;
-                $info['description'] = ('Incompatible' === $info['description']) ? ToolBox::i18n()->trans('compatible') : $info['description'];
-            } else {
-                $info['description'] = ToolBox::i18n()->trans('incompatible-with-facturascripts', ['%version%' => self::CORE_VERSION]);
+        if (isset($ini['require'])) {
+            foreach (explode(',', $ini['require']) as $req) {
+                $req = trim($req);
+                if (!empty($req)) {
+                    $info['require'][] = $req;
+                }
             }
+        }
 
-            $info['enabled'] = in_array($info['name'], $this->enabledPlugins());
+        if ($info['min_version'] <= self::CORE_VERSION && $info['min_version'] >= 2020) {
+            $info['compatible'] = true;
+        } else {
+            $info['description'] = ToolBox::i18n()->trans('incompatible-with-facturascripts', ['%version%' => self::CORE_VERSION]);
         }
 
+        $info['enabled'] = in_array($info['name'], $this->enabledPlugins());
         return $info;
     }