dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update xml_cdr.php 

Use the permission_exists and is_uuid conditions at the top of the download class method. If false use return to prevent running code without the right permission and a valid uuid.
This commit is contained in:
FusionPBX 2025-03-26 18:34:54 -06:00 committed by GitHub
parent 5f7ef8848e
commit 7fe291dfcf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 56 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
app/xml_cdr/resources/classes/xml_cdr.php
View File

@ -1988,10 +1988,20 @@
* download the recordings
*/
public function download() {
if (permission_exists('xml_cdr_view')) {
//check the permission
if (!permission_exists('xml_cdr_view')) {
//echo "permission denied";
return;
}
//check for a valid uuid
if (!is_uuid($this->recording_uuid)) {
//echo "invalid uuid";
return;
}
//get call recording from database
if (is_uuid($this->recording_uuid)) {
$sql = "select record_name, record_path from v_xml_cdr ";
$sql .= "where xml_cdr_uuid = :xml_cdr_uuid ";
$parameters['xml_cdr_uuid'] = $this->recording_uuid;
@ -2001,7 +2011,6 @@
$record_path = $row['record_path'];
}
unset ($sql, $parameters, $row);
}
//build full path
$record_file = $record_path.'/'.$record_name;
@ -2041,8 +2050,6 @@
fpassthru($fd);
}
}
} //end download method
/*