Merge pull request from GHSA-673x-f5wx-fxpw

fix security/advisories/GHSA-4r3m-j6x5-48m3
baserproject · Aug 25, 2020 · 16a7b3c · 16a7b3c
2 parents 2dcaa28 + 757fcc5
commit 16a7b3c
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 6 deletions.
diff --git a/app/webroot/theme/admin-third/ThemeFiles/admin/form_folder.php b/app/webroot/theme/admin-third/ThemeFiles/admin/form_folder.php
@@ -25,7 +25,7 @@
 
 <!-- current -->
 <div class="em-box bca-current-box">
-	<?php echo __d('baser', '現在の位置')?>：<?php echo $currentPath ?>
+	<?php echo __d('baser', '現在の位置')?>：<?php echo h($currentPath) ?>
 </div>
 
 <?php if ($this->request->action == 'admin_add_folder'): ?>

diff --git a/app/webroot/theme/admin-third/ThemeFiles/admin/index.php b/app/webroot/theme/admin-third/ThemeFiles/admin/index.php
@@ -45,7 +45,7 @@
 <div id="MessageBox" style="display:none"><div id="flashMessage" class="notice-message"></div></div>
 
 <!-- current -->
-<div class="em-box bca-current-box"><?php echo __d('baser', '現在の位置') ?>：<?php echo $currentPath ?>
+<div class="em-box bca-current-box"><?php echo __d('baser', '現在の位置') ?>：<?php echo h($currentPath) ?>
 	<?php if (!$writable): ?>
 		　<span style="color:#FF3300">[<?php echo __d('baser', '書込不可') ?>]</span>
 	<?php endif ?>

diff --git a/lib/Baser/Plugin/Uploader/Config/setting.php b/lib/Baser/Plugin/Uploader/Config/setting.php
@@ -46,6 +46,10 @@
 	]
 ];
 $config['Uploader'] = [
+		// システム管理者によるアップロードでいかなる拡張子も許可する
+		'allowedAdmin' => false,
 		// システム管理者グループ以外のユーザーがアップロード可能なファイル（拡張子をカンマ区切りで指定する）
-		'allowedExt' => 'gif,jpg,png,pdf,zip,doc,docx,xls,xlsx,ppt,pptx'
+		'allowedExt' => 'gif,jpg,jpeg,png,ico,pdf,zip,doc,docx,xls,xlsx,ppt,pptx,txt',
+		// 'allowedExt' => 'mp4,mp3,mpg,mpeg,avi,wmv' // メディア例
+		// 'allowedExt' => 'fon,ttf,ttc' // フォント例
 ];
diff --git a/lib/Baser/Plugin/Uploader/Model/UploaderFile.php b/lib/Baser/Plugin/Uploader/Model/UploaderFile.php
@@ -73,7 +73,7 @@ public function __construct($id = false, $table = null, $ds = null) {
 				]
 			]
 		];
-		if(!BcUtil::isAdminUser()) {
+		if(!BcUtil::isAdminUser() || !Configure::read('Uploader.allowedAdmin')) {
 			$this->validate['name'] = [
 				'fileExt' => [
 					'rule' => ['fileExt', Configure::read('Uploader.allowedExt')],

diff --git a/lib/Baser/View/ThemeFiles/admin/form_folder.php b/lib/Baser/View/ThemeFiles/admin/form_folder.php
@@ -24,7 +24,7 @@
 
 
 <div class="em-box align-left">
-<?php echo __d('baser', '現在の位置')?>：<?php echo $currentPath ?>
+<?php echo __d('baser', '現在の位置')?>：<?php echo h($currentPath) ?>
 </div>
 
 <?php if ($this->request->action == 'admin_add_folder'): ?>

diff --git a/lib/Baser/View/ThemeFiles/admin/index.php b/lib/Baser/View/ThemeFiles/admin/index.php
@@ -44,7 +44,7 @@
 <div id="MessageBox" style="display:none"><div id="flashMessage" class="notice-message"></div></div>
 
 <!-- current -->
-<div class="em-box align-left"><?php echo __d('baser', '現在の位置')?>：<?php echo $currentPath ?>
+<div class="em-box align-left"><?php echo __d('baser', '現在の位置')?>：<?php echo h($currentPath) ?>
 	<?php if (!$writable): ?>
 		　<span style="color:#FF3300">[<?php echo __d('baser', '書込不可')?>]</span>
 	<?php endif ?>