Skip to:
Content

Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#2792 closed defect (fixed)

Escape properly filenames in bbp_converter_setting_callback_platform

Reported by: xknown Owned by: netweb
Milestone: 2.6 Priority: low
Severity: trivial Version: 2.1
Component: General Keywords: has-patch commit
Cc:

Description

In src/includes/admin/settings.php, the $file variable could be escaped to avoid some issues on files with weird names.

Index: src/includes/admin/settings.php
===================================================================
--- src/includes/admin/settings.php	(revision 5710)
+++ src/includes/admin/settings.php	(working copy)
@@ -1306,7 +1306,7 @@
 	while ( $file = readdir( $curdir ) ) {
 		if ( ( stristr( $file, '.php' ) ) && ( stristr( $file, 'index' ) === false ) ) {
 			$file              = preg_replace( '/.php/', '', $file );
-			$platform_options .= '<option value="' . $file . '">' . esc_html( $file ) . '</option>';
+			$platform_options .= '<option value="' . esc_attr( $file ) . '">' . esc_html( $file ) . '</option>';
 		}
 	}

Reported originally by https://hackerone.com/yujitounai

Attachments (1)

2792.patch (648 bytes) - added by thebrandonallen 3 years ago.

Download all attachments as: .zip

Change History (5)

#1 @thebrandonallen
3 years ago

  • Keywords has-patch commit added
  • Milestone changed from Awaiting Review to 2.6

Good catch @xknown!

#2 @netweb
3 years ago

  • Version set to 2.1

#3 @netweb
3 years ago

  • Owner set to netweb
  • Resolution set to fixed
  • Status changed from new to closed

In 6040:

Admin: Escape $file variable for importer filenames in bbp_converter_setting_callback_platform()

Props xknown
Fixes #2792

#4 @johnjamesjacoby
3 years ago

Nice. Thanks everyone!

Note: See TracTickets for help on using tickets.