MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] lfi via custom terms file setting, as reported by Ianis BERNARD - NATO Cyber Security Centre

pull/8227/head
Luciano Righetti 2022-03-17 15:36:15 +01:00
parent 1b5edc99cf
commit 8cc93687dc
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/View/Users/terms.ctp
View File

@ -5,7 +5,8 @@
if (!Configure::read('MISP.terms_file')) {
$termsFile = APP ."View/Users/terms";
} else {
$termsFile = APP . 'files' . DS . 'terms' . DS . Configure::read('MISP.terms_file');
$customTermsFile = basename(realpath(Configure::read('MISP.terms_file')));
$termsFile = APP . 'files' . DS . 'terms' . DS . $customTermsFile;
}
if (!(file_exists($termsFile))) {
echo "<p>" . __("Terms and Conditions file not found.") . "</p>";