Task #228793 chore: Logs implenetation for import ucm functionality#426
Task #228793 chore: Logs implenetation for import ucm functionality#426punambaravkar wants to merge 4 commits intotechjoomla:j4xfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| header('Expires: 0'); | ||
| header('Cache-Control: must-revalidate'); | ||
| header('Pragma: public'); | ||
| header('Content-Length: ' . filesize($logFilePath)); |
Check failure
Code scanning / SonarCloud
I/O function calls should not be vulnerable to path injection attacks
| flush(); | ||
|
|
||
| // Read and output the file content | ||
| readfile($logFilePath); |
Check failure
Code scanning / SonarCloud
I/O function calls should not be vulnerable to path injection attacks
| */ | ||
| public function downloadLog() | ||
| { | ||
| $logFileName = Factory::getApplication()->input->getString('file'); |
There was a problem hiding this comment.
@punambaravkar
Take only file name from input and use it.
// Use basename() to extract only the filename, preventing directory traversal. and use it in the next lines
$safeFileName = basename(logFileName);
| { | ||
| $logFileName = Factory::getApplication()->input->getString('file'); | ||
|
|
||
| // Full path to the log file |
There was a problem hiding this comment.
// Construct the full path.
$baseDir = JPATH_ADMINISTRATOR . '/logs/'
$fullPath = realpath($baseDir . $safeFileName);
// Validate: Ensure the path is within the intended directory.
if (strpos($fullPath, $baseDir) !== 0 || !$fullPath)
{
JError::raiseWarning(404, JText::_('JERROR_ALERTNOAUTHOR'));
return false;
}
|
2 participants
No description provided.