From 31877528b1d7e8bc9c45f7837c76b0576072f06f Mon Sep 17 00:00:00 2001 From: jekkos-t520 Date: Fri, 17 Oct 2014 08:29:46 +0200 Subject: [PATCH] Security update for report subpermissions --- application/controllers/reports.php | 11 ++++------- system/libraries/Email.php | 4 ++++ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/application/controllers/reports.php b/application/controllers/reports.php index 62c1e9340..9e03d0c4b 100644 --- a/application/controllers/reports.php +++ b/application/controllers/reports.php @@ -12,17 +12,14 @@ class Reports extends Secure_area parent::__construct('reports'); $method_name = $this->uri->segment(2); $exploder = explode('_', $method_name); - $submodule_id = preg_match("/(?:inventory)|([^_.]*)(?:_graph)?$/", $method_name, $matches); - $submodule_id = array_pop($matches); - if (count($matches) > 1) - { - $submodule_id = preg_replace("/^(.*?)s?$/", "$1s", $submodule_id); - } + preg_match("/(?:inventory)|([^_.]*)(?:_graph)?$/", $method_name, $matches); + preg_match("/^(.*?)([sy])?$/", array_pop($matches), $matches); + $submodule_id = $matches[1] . ((count($matches) > 2) ? $matches[2] : "s"); $employee_id=$this->Employee->get_logged_in_employee_info()->person_id; // check access to report submodule if (sizeof($exploder) > 1 && !$this->Employee->has_grant('reports_'.$submodule_id,$employee_id)) { - redirect('no_access/'.$submodule_id.'/reports_' . $submodule_id); + redirect('no_access/reports/reports_' . $submodule_id); } $this->load->helper('report'); } diff --git a/system/libraries/Email.php b/system/libraries/Email.php index c9aa6f4b8..7c50ff16b 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -610,6 +610,10 @@ class CI_Email { */ protected function _get_message_id() { + $from = $this->_headers['Return-Path']; + $from = str_replace(">", "", $from); + $from = str_replace("<", "", $from); + return "<".uniqid('').strstr($from, '@').">"; }