mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-25 19:28:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Rename unsafe file extensions of attachments to prevent XSS and server side code injection.

Browse source
This commit is contained in:
Jan Böhmer 2022-12-18 18:11:44 +01:00
parent 5ffd44466e
commit 14bbe3d6d6
2 changed files with 47 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
templates/Parts/edit/edit_form_styles.html.twig
View file

@ -144,6 +144,7 @@
<i class="fas fa-fw fa-shield-alt"></i> {% trans %}attachment.secure{% endtrans %}
</span>
</h6>
{% endif %}
{% if attach.secure and not is_granted('show_private', attach) %}
{# Leave blank #}
@ -161,7 +162,7 @@
<i class="fas fa-exclamation-circle fa-fw"></i> {% trans %}attachment.file_not_found{% endtrans %}
</span>
</h6>
{% endif %}
{% endif %}
{% endif %}