From 0bd67b93e931711ef50934d38a2f83f724ee534e Mon Sep 17 00:00:00 2001 From: cmadjar Date: Mon, 20 Feb 2023 15:52:58 -0500 Subject: [PATCH 1/3] fix link to BrainBrowser in the MRI violations module --- modules/brainbrowser/php/imageinfo.class.inc | 2 +- php/libraries/FilesDownloadHandler.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/brainbrowser/php/imageinfo.class.inc b/modules/brainbrowser/php/imageinfo.class.inc index f5381d2abf8..73c0229fa8a 100644 --- a/modules/brainbrowser/php/imageinfo.class.inc +++ b/modules/brainbrowser/php/imageinfo.class.inc @@ -185,7 +185,7 @@ class ImageInfo extends \NDB_Page '' as Visit_label, MincFile as File, LogID as FileID - FROM mri_violation_log + FROM mri_violations_log WHERE LogID IN (" . join(",", $params) .")"; break; case 'CandidateError': diff --git a/php/libraries/FilesDownloadHandler.php b/php/libraries/FilesDownloadHandler.php index 319833eb6b5..7ce1b2908c2 100644 --- a/php/libraries/FilesDownloadHandler.php +++ b/php/libraries/FilesDownloadHandler.php @@ -67,7 +67,7 @@ public function handle(ServerRequestInterface $request) : ResponseInterface ); } //Use basename to remove path traversal characters. - $filename = basename(strval($request->getAttribute('filename'))); + $filename = \Utility::resolvePath($request->getAttribute('filename')); if (empty($filename)) { return new \LORIS\Http\Response\JSON\BadRequest( From f8de2f174fa3dcab4ebfab46d00d1fe600ff5569 Mon Sep 17 00:00:00 2001 From: cmadjar Date: Tue, 21 Feb 2023 11:43:03 -0500 Subject: [PATCH 2/3] fix tests --- php/libraries/FilesDownloadHandler.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php/libraries/FilesDownloadHandler.php b/php/libraries/FilesDownloadHandler.php index 7ce1b2908c2..4faf431a52e 100644 --- a/php/libraries/FilesDownloadHandler.php +++ b/php/libraries/FilesDownloadHandler.php @@ -67,7 +67,7 @@ public function handle(ServerRequestInterface $request) : ResponseInterface ); } //Use basename to remove path traversal characters. - $filename = \Utility::resolvePath($request->getAttribute('filename')); + $filename = \Utility::resolvePath(strval($request->getAttribute('filename'))); if (empty($filename)) { return new \LORIS\Http\Response\JSON\BadRequest( From 248eec672cef99f262dc742de15e329e072d7904 Mon Sep 17 00:00:00 2001 From: cmadjar Date: Tue, 21 Feb 2023 12:04:10 -0500 Subject: [PATCH 3/3] fix test --- php/libraries/FilesDownloadHandler.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/php/libraries/FilesDownloadHandler.php b/php/libraries/FilesDownloadHandler.php index 4faf431a52e..e46d4038d5f 100644 --- a/php/libraries/FilesDownloadHandler.php +++ b/php/libraries/FilesDownloadHandler.php @@ -67,7 +67,9 @@ public function handle(ServerRequestInterface $request) : ResponseInterface ); } //Use basename to remove path traversal characters. - $filename = \Utility::resolvePath(strval($request->getAttribute('filename'))); + $filename = \Utility::resolvePath( + strval($request->getAttribute('filename')) + ); if (empty($filename)) { return new \LORIS\Http\Response\JSON\BadRequest(