Skip to content

Commit 083b1d2

Browse files
committed
Security: Add a whitelist of allowed help topics
1 parent 284a750 commit 083b1d2

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

main/help/help.php

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,27 @@
88
*/
99
require_once __DIR__.'/../inc/global.inc.php';
1010

11+
$allowedHelp = [
12+
'Blogs',
13+
'Group',
14+
'Groups',
15+
'Announcements',
16+
'Settings',
17+
'Doc',
18+
'Dropbox',
19+
'Exercise',
20+
'Tracking',
21+
'User',
22+
'Links',
23+
'Path',
24+
'Survey',
25+
'Classes',
26+
'Wiki',
27+
];
28+
1129
$help_name = isset($_GET['open']) ? Security::remove_XSS($_GET['open']) : null;
12-
if (empty($help_name)) {
30+
31+
if (empty($help_name) || !in_array($help_name, $allowedHelp)) {
1332
api_not_allowed(true);
1433
}
1534

0 commit comments

Comments
 (0)