From 3fab34e030f1826669bc52a427dd28206e78db74 Mon Sep 17 00:00:00 2001 From: Yurii Date: Sat, 21 Mar 2026 17:37:26 +0200 Subject: [PATCH] sanitize name --- application/Espo/Classes/MassAction/User/MassUpdate.php | 4 +++- application/Espo/Core/Acl/Cache/Clearer.php | 4 ++-- application/Espo/Core/FileStorage/Storages/EspoUploadDir.php | 3 ++- application/Espo/Core/Portal/Api/Starter.php | 4 +++- application/Espo/EntryPoints/Image.php | 4 +++- application/Espo/Hooks/Attachment/RemoveFile.php | 4 +++- 6 files changed, 16 insertions(+), 7 deletions(-) diff --git a/application/Espo/Classes/MassAction/User/MassUpdate.php b/application/Espo/Classes/MassAction/User/MassUpdate.php index b2be6509c6..195df40069 100644 --- a/application/Espo/Classes/MassAction/User/MassUpdate.php +++ b/application/Espo/Classes/MassAction/User/MassUpdate.php @@ -178,7 +178,9 @@ class MassUpdate implements MassAction private function clearRoleCache(string $id): void { - $this->fileManager->removeFile('data/cache/application/acl/' . $id . '.php'); + $part = basename($id); + + $this->fileManager->removeFile("data/cache/application/acl/$part.php"); } private function clearPortalRolesCache(): void diff --git a/application/Espo/Core/Acl/Cache/Clearer.php b/application/Espo/Core/Acl/Cache/Clearer.php index 6c8d0fc895..6e2d5af982 100644 --- a/application/Espo/Core/Acl/Cache/Clearer.php +++ b/application/Espo/Core/Acl/Cache/Clearer.php @@ -63,7 +63,7 @@ class Clearer return; } - $part = $user->getId() . '.php'; + $part = basename($user->getId() . '.php'); $this->fileManager->remove('data/cache/application/acl/' . $part); $this->fileManager->remove('data/cache/application/aclMap/' . $part); @@ -77,7 +77,7 @@ class Clearer ->find(); foreach ($portals as $portal) { - $part = $portal->getId() . '/' . $user->getId() . '.php'; + $part = basename($portal->getId()) . '/' . basename($user->getId() . '.php'); $this->fileManager->remove('data/cache/application/aclPortal/' . $part); $this->fileManager->remove('data/cache/application/aclPortalMap/' . $part); diff --git a/application/Espo/Core/FileStorage/Storages/EspoUploadDir.php b/application/Espo/Core/FileStorage/Storages/EspoUploadDir.php index 9d2f960aca..85a06db318 100644 --- a/application/Espo/Core/FileStorage/Storages/EspoUploadDir.php +++ b/application/Espo/Core/FileStorage/Storages/EspoUploadDir.php @@ -115,7 +115,8 @@ class EspoUploadDir implements Storage, Local protected function getFilePath(Attachment $attachment) { $sourceId = $attachment->getSourceId(); + $file = basename($sourceId); - return 'data/upload/' . $sourceId; + return 'data/upload/' . $file; } } diff --git a/application/Espo/Core/Portal/Api/Starter.php b/application/Espo/Core/Portal/Api/Starter.php index a071ec7977..e066db5e11 100644 --- a/application/Espo/Core/Portal/Api/Starter.php +++ b/application/Espo/Core/Portal/Api/Starter.php @@ -49,7 +49,9 @@ class Starter extends StarterBase SystemConfig $systemConfig, ApplicationState $applicationState ) { - $routeCacheFile = 'data/cache/application/slim-routes-portal-' . $applicationState->getPortalId() . '.php'; + $part = basename($applicationState->getPortalId()); + + $routeCacheFile = 'data/cache/application/slim-routes-portal-' . $part . '.php'; parent::__construct( $requestProcessor, diff --git a/application/Espo/EntryPoints/Image.php b/application/Espo/EntryPoints/Image.php index 7eb12269b9..614a66bdd9 100644 --- a/application/Espo/EntryPoints/Image.php +++ b/application/Espo/EntryPoints/Image.php @@ -174,7 +174,9 @@ class Image implements EntryPoint $sourceId = $attachment->getSourceId(); - $cacheFilePath = "data/upload/thumbs/{$sourceId}_$size"; + $file = basename("{$sourceId}_$size"); + + $cacheFilePath = "data/upload/thumbs/$file"; if ($useCache && $this->fileManager->isFile($cacheFilePath)) { return $this->fileManager->getContents($cacheFilePath); diff --git a/application/Espo/Hooks/Attachment/RemoveFile.php b/application/Espo/Hooks/Attachment/RemoveFile.php index 6cd45456e4..ac44452f33 100644 --- a/application/Espo/Hooks/Attachment/RemoveFile.php +++ b/application/Espo/Hooks/Attachment/RemoveFile.php @@ -89,7 +89,9 @@ class RemoveFile implements AfterRemove $sizeList = array_keys($this->metadata->get(['app', 'image', 'sizes']) ?? []); foreach ($sizeList as $size) { - $filePath = "data/upload/thumbs/{$entity->getSourceId()}_{$size}"; + $file = basename("{$entity->getSourceId()}_$size"); + + $filePath = "data/upload/thumbs/$file"; if ($this->fileManager->isFile($filePath)) { $this->fileManager->removeFile($filePath);