diff --git a/core/dbsearch.class.php b/core/dbsearch.class.php index 3aed95306a..ce7a2d3691 100644 --- a/core/dbsearch.class.php +++ b/core/dbsearch.class.php @@ -560,12 +560,22 @@ public function serialize($bDevelopParams = false, $aContextParams = array()) static public function unserialize($sValue) { $aData = json_decode(urldecode($sValue), true); - if (is_null($aData)) - { + if (!is_array($aData) || count($aData) < 2) { throw new CoreException("Invalid filter parameter"); } + + // Basic type checks to avoid unexpected structures coming from the request + if (!isset($aData[0]) || !is_string($aData[0])) { + throw new CoreException("Invalid filter parameter: missing or invalid OQL string"); + } $sOql = $aData[0]; - $aParams = $aData[1]; + + // Prevent extremely large payloads from being processed + if (strlen($sOql) > 20000) { + throw new CoreException("Invalid filter parameter: OQL too long"); + } + + $aParams = is_array($aData[1]) ? $aData[1] : array(); $aExtraParams = array(); foreach($aParams as $sParam => $sValue) { diff --git a/pages/graphviz.php b/pages/graphviz.php index 4fa075b5bb..013ce833aa 100644 --- a/pages/graphviz.php +++ b/pages/graphviz.php @@ -127,9 +127,17 @@ function GraphvizLifecycle($sClass) @fwrite($rFile, $sDotDescription); @fclose($rFile); $aOutput = array(); - $CommandLine = "\"$sDotExecutable\" -v -Tsvg < \"$sDotFilePath\" -o \"$sImageFilePath\" 2>&1"; - - exec($CommandLine, $aOutput, $iRetCode); + + // Build command with escaped arguments to avoid shell injection. + // Use the dot executable with input and output file arguments instead of shell redirection. + $escapedDot = escapeshellarg($sDotExecutable); + $escapedDotInput = escapeshellarg($sDotFilePath); + $escapedDotOutput = escapeshellarg($sImageFilePath); + + $CommandLine = $escapedDot.' -v -Tsvg '.$escapedDotInput.' -o '.$escapedDotOutput; + + // exec will capture stdout; redirect stderr to stdout so we get full output in $aOutput + exec($CommandLine . ' 2>&1', $aOutput, $iRetCode); if ($iRetCode != 0) { header('Content-type: text/html');