mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-05-17 04:47:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
def0c27a0e252668df8d942fc31e16d1edfd7323
opensourcepos/app/Controllers
History
jekkos def0c27a0e fix(security): Path traversal vulnerability in getPicThumb (#4545) 
Security impact:
- Authenticated attackers could read arbitrary files on the server
- Path traversal via unsanitized pic_filename parameter
- Could read .env, config files, encryption keys

Fix:
- Apply basename() to strip directory components
- Validate file extension to allowlist image types only
- Add explicit error response for invalid file types

CVE: Pending
Affected: <= 3.4.2
Reported by: Kamran Saifullah (VulDB)

Co-authored-by: Ollama <ollama@steganos.dev>
2026-05-15 22:04:29 +02:00
..
Attributes.php
[Feature]: Case-sensitive attribute updates and CSV Import attribute deletion capability (#4384)
2026-04-09 11:13:22 +04:00
BaseController.php
chore: sync project files to match upstream templates (#4537)
2026-05-12 15:55:36 +02:00
Cashups.php
Add filter persistence for table views via URL query string (#4400)
2026-03-11 20:11:00 +01:00
Config.php
chore: miscellaneous updates and improvements (#4530)
2026-05-08 09:07:52 +02:00
Customers.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Employees.php
Refactor: Move ADMIN_MODULES to constants, rename methods to camelCase
2026-03-06 17:25:25 +01:00
Expenses_categories.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Expenses.php
Fix review comments: remove redundant loop and add XSS escaping
2026-03-17 15:32:16 +00:00
Giftcards.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Home.php
fix(home): improve internal data type handling for user identification in auth process
2026-04-28 09:56:56 +02:00
index.html
Replace tabs with spaces (#4196)
2025-03-28 21:24:21 +04:00
Item_kits.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Items.php
fix(security): Path traversal vulnerability in getPicThumb (#4545)
2026-05-15 22:04:29 +02:00
Login.php
fix: Handle empty database on fresh install (#4467)
2026-04-08 20:19:25 +00:00
Messages.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
No_access.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Office.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Persons.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Receivings.php
Update to CodeIgniter 4.7.2 (#4485)
2026-04-14 01:05:10 +04:00
Reports.php
feat: Bank transfer and wallet payment option added #4540 (#4547)
2026-05-15 20:50:34 +02:00
Sales.php
feat: Bank transfer and wallet payment option added #4540 (#4547)
2026-05-15 20:50:34 +02:00
Secure_Controller.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Suppliers.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Tax_categories.php
fix(security): prevent SQL injection in tax controller sort columns
2026-04-06 18:37:07 +00:00
Tax_codes.php
fix(security): prevent SQL injection in tax controller sort columns
2026-04-06 18:37:07 +00:00
Tax_jurisdictions.php
fix(security): prevent SQL injection in tax controller sort columns
2026-04-06 18:37:07 +00:00
Taxes.php
fix(security): prevent SQL injection in tax controller sort columns
2026-04-06 18:37:07 +00:00