Merge branch 'Configuration_Vulnerable' into 'master'

Configuration file vulnerable for variables update See merge request !397

Merge branch 'Configuration_Vulnerable' into 'master'
Configuration file vulnerable for variables update See merge request !397
36597600 · Prasad · 8bbe00f3 · 487c2744 · 36597600
Commit 36597600 authored 5 years ago by Prasad
--- a/modules/Settings/Vtiger/models/ConfigModule.php
+++ b/modules/Settings/Vtiger/models/ConfigModule.php
@@ -136,8 +136,12 @@ class Settings_Vtiger_ConfigModule_Model extends Settings_Vtiger_Module_Model {
 		$fileContent = $this->completeData;
 		$updatedFields = $this->get('updatedFields');
 		$validationInfo = $this->validateFieldValues($updatedFields);
+        $editableFields = $this->getEditableFields();
 		if ($validationInfo === true) {
 			foreach ($updatedFields as $fieldName => $fieldValue) {
+                if(!in_array($fieldName, array_keys($editableFields))){
+                    continue;
+                }
 				$patternString = "\$%s = '%s';";
 				if ($fieldName === 'upload_maxsize') {
 					$fieldValue = $fieldValue * 1048576; //(1024 * 1024)