Commit ff1a3446 authored by Robert Lyon's avatar Robert Lyon
Browse files

Security bug 1942903: PDF export can cause command injection vulnerability 



When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: default avatarRobert Lyon <robertl@catalyst.net.nz>
parent be6d7992

htdocs/export/html/lib.php

+1 −1
Original line number Diff line number Diff line
@@ -371,7 +371,7 @@ class PluginExportHtml extends PluginExport { 
     */

    public static function text_to_filename($text) {

        // truncates the text and replaces NOT allowed characters to hyphens

        return preg_replace('#["()*/:<>?\\| ]+#', '-', mb_substr($text, 0, parent::MAX_FILENAME_LENGTH, 'utf-8'));

        return preg_replace('#[\;\{\}\$"()*/:<>?\\| ]+#', '-', mb_substr($text, 0, parent::MAX_FILENAME_LENGTH, 'utf-8'));

    }



    /**