Additional rXSS fix / closes hestiacp#1558

Serghey Rodin · Serghey Rodin · commit c80c4c472e61 · 2018-05-16T17:23:04.000+03:00
diff --git a/web/view/file/index.php b/web/view/file/index.php
@@ -13,10 +13,10 @@
 }
 
 if (!empty($_REQUEST['path'])) {
-    $path = $_REQUEST['path'];
+    $path = htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8');
     if (!empty($_REQUEST['raw'])) {
         header('content-type: image/jpeg');
-        passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8')));
+        passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($path));
         exit;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -13,10 +13,10 @@`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`if (!empty($_REQUEST['path'])) {`
`16`		`- $path = $_REQUEST['path'];`
	`16`	`+ $path = htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8');`
`17`	`17`	`if (!empty($_REQUEST['raw'])) {`
`18`	`18`	`header('content-type: image/jpeg');`
`19`		`- passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8')));`
	`19`	`+ passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($path));`
`20`	`20`	`exit;`
`21`	`21`	`}`
`22`	`22`	`}`