ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

use detaintPath on modal to prevent including other files instead of real modals

pull/3669/merge
Isaac Connor 2023-02-20 11:58:10 -05:00
parent 4067151fd8
commit 119e4e6756
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/ajax/modal.php
View File

@ -1,11 +1,10 @@
<?php <?php
if (empty($_REQUEST['modal'])) {
if ( empty($_REQUEST['modal']) ) {
ajaxError('Modal Name Not Provided'); ajaxError('Modal Name Not Provided');
return; return;
} }
$modal = validJsStr($_REQUEST['modal']); $modal = detaintPath($_REQUEST['modal']);
$data = array(); $data = array();
ZM\Debug("Including modals/$modal.php"); ZM\Debug("Including modals/$modal.php");
@ -14,7 +13,7 @@ ob_start();
@$result = include('modals/'.$modal.'.php'); @$result = include('modals/'.$modal.'.php');
$data['html'] = ob_get_contents(); $data['html'] = ob_get_contents();
ob_end_clean(); ob_end_clean();
if ( !$result ) { if (!$result) {
ajaxError("Unknown modal '".$modal."'"); ajaxError("Unknown modal '".$modal."'");
return; return;
} }