Skip to content

Commit f2df5d3

Browse files
committed
Security: escape values when importing username list to anonymize - refs BT#21289
1 parent d1beb7a commit f2df5d3

File tree

1 file changed

+11
-3
lines changed

1 file changed

+11
-3
lines changed

main/admin/user_anonymize_import.php

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
/* For licensing terms, see /license.txt */
44

5+
use Chamilo\UserBundle\Entity\User;
56
use Doctrine\Common\Collections\Criteria;
67

78
/**
@@ -40,23 +41,29 @@
4041
$step2Form->addButtonUpdate(get_lang('Anonymize'));
4142

4243
if ($step1Form->validate() && $usernameListFile->isUploadedFile()) {
43-
$filePath = $usernameListFile->getValue()['tmp_name'];
44+
$usernameListFileUploaded = $usernameListFile->getValue();
45+
$usernameListFileUploaded['name'] = api_htmlentities($usernameListFileUploaded['name']);
46+
$filePath = $usernameListFileUploaded['tmp_name'];
4447
if (!file_exists($filePath)) {
4548
throw new Exception(get_lang('CouldNotReadFile').' '.$filePath);
4649
}
4750
$submittedUsernames = file($filePath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
4851
if (false === $submittedUsernames) {
4952
throw new Exception(get_lang('CouldNotReadFileLines').' '.$filePath);
5053
}
54+
55+
$submittedUsernames = array_map('api_htmlentities', $submittedUsernames);
56+
$submittedUsernames = array_filter($submittedUsernames);
57+
5158
if (empty($submittedUsernames)) {
5259
printf(
5360
'<p>'.get_lang('FileXHasNoData').'</p>',
54-
'<em>'.$usernameListFile->getValue()['name'].'</em>'
61+
'<em>'.$usernameListFileUploaded['name'].'</em>'
5562
);
5663
} else {
5764
printf(
5865
'<p>'.get_lang('FileXHasYNonEmptyLines').'</p>',
59-
'<em>'.$usernameListFile->getValue()['name'].'</em>',
66+
'<em>'.$usernameListFileUploaded['name'].'</em>',
6067
count($submittedUsernames)
6168
);
6269
$uniqueSubmittedUsernames = array_values(array_unique($submittedUsernames));
@@ -116,6 +123,7 @@
116123
$anonymized = [];
117124
$errors = [];
118125
$tableSession = Database::get_main_table(TABLE_MAIN_SESSION);
126+
/** @var User $user */
119127
foreach ($users as $user) {
120128
$username = $user->getUsername();
121129
$userId = $user->getId();

0 commit comments

Comments
 (0)