Security: escape values when importing username list to anonymize - refs BT#21289

AngelFQC · AngelFQC · commit f2df5d3c9cdb · 2023-12-13T16:33:08.000-05:00
diff --git a/main/admin/user_anonymize_import.php b/main/admin/user_anonymize_import.php
@@ -2,6 +2,7 @@
 
 /* For licensing terms, see /license.txt */
 
+use Chamilo\UserBundle\Entity\User;
 use Doctrine\Common\Collections\Criteria;
 
 /**
@@ -40,23 +41,29 @@
 $step2Form->addButtonUpdate(get_lang('Anonymize'));
 
 if ($step1Form->validate() && $usernameListFile->isUploadedFile()) {
-    $filePath = $usernameListFile->getValue()['tmp_name'];
+    $usernameListFileUploaded = $usernameListFile->getValue();
+    $usernameListFileUploaded['name'] = api_htmlentities($usernameListFileUploaded['name']);
+    $filePath = $usernameListFileUploaded['tmp_name'];
     if (!file_exists($filePath)) {
         throw new Exception(get_lang('CouldNotReadFile').' '.$filePath);
     }
     $submittedUsernames = file($filePath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
     if (false === $submittedUsernames) {
         throw new Exception(get_lang('CouldNotReadFileLines').' '.$filePath);
     }
+
+    $submittedUsernames = array_map('api_htmlentities', $submittedUsernames);
+    $submittedUsernames = array_filter($submittedUsernames);
+
     if (empty($submittedUsernames)) {
         printf(
             '<p>'.get_lang('FileXHasNoData').'</p>',
-            '<em>'.$usernameListFile->getValue()['name'].'</em>'
+            '<em>'.$usernameListFileUploaded['name'].'</em>'
         );
     } else {
         printf(
             '<p>'.get_lang('FileXHasYNonEmptyLines').'</p>',
-            '<em>'.$usernameListFile->getValue()['name'].'</em>',
+            '<em>'.$usernameListFileUploaded['name'].'</em>',
             count($submittedUsernames)
         );
         $uniqueSubmittedUsernames = array_values(array_unique($submittedUsernames));
@@ -116,6 +123,7 @@
         $anonymized = [];
         $errors = [];
         $tableSession = Database::get_main_table(TABLE_MAIN_SESSION);
+        /** @var User $user */
         foreach ($users as $user) {
             $username = $user->getUsername();
             $userId = $user->getId();
