Any File format can be uploaded on the Patient ID Card #1428
Comments
|
Yes we would not want any kind of file be uploaded imagine some freaking
.bat file up there and running a cron job. U can validate by size and
extensions
…On Sun, Mar 10, 2019, 16:45 Gicheha ***@***.***> wrote:
*A) Your outreachy username :* gicheha
**B) Issue title : ** Patient ID card can be updated using executable
files and scripts
*C) Site affected:* The patient site, on the documents section
*D) Bug report date :* March 10, 2019
*E) OS/ browser used:* Windows/Chrome
*F) Which workflow module in LHEHR :* “Documents” under “Patient”.
*G) Steps to reproduce the bug :*
●Select the Patient/Client menu item and select the finder option.
● Select a patient or search for one using the search fields.
● Once a patient is selected, select the summary option on the patients
menu.
● On the summary screen, select the documents tab.
● Select patient information
● Select Patient ID card
● Choose the file to upload then click on the upload button
*H) At point of bug, the expected behavior :* Files of undesired format
should be rejected and a prompt shown to advise the user on the appropriate
file format.
*I) Details of what actually happened :* There was no prompt or alert box
for the invalid
information, whereas the PHP errors and warnings were displayed on the
screen.
*J) Provide relevant screenshots :*
Patient ID card file upload
[image: excecutable_file]
<https://user-images.githubusercontent.com/9331796/54087407-a45ea480-4363-11e9-9e23-ebd2a684aeaa.PNG>
*k) Estimated bug Severity :* The bug is critical as it is a security flaw
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1428>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/APl-XlOXB8yBeJ2m5_ct2uiQCM0wq3UCks5vVSirgaJpZM4bnVa7>
.
|
|
Thanks...I am on it |
|
@muarachmann Kindly assist with the location of the affected files, I have only managed to find the PHP script for uploading the Profile photo...the file explorer page is Javascript generated making it a bit tricky to trace the files...Thanks in advance |
|
@Gicheha what files have you found? |
|
@muarachmann I think we are not getting each other...I mean the files containing the code that uploads the patient docs, those are the files I cannot get |
|
@aethelwulffe could you please help here thanks |
muarachmann
added
outreachy
|
I will try to hunt them down. A good little project would be to gather up all the functions and put them in a monolithic feature directory under /modules. I think that this still uses the old document tree asset. |
|
LibreEHR\controllers\C_Document.class.php: |
|
LibreEHR\interface\patient_file\upload_dialog.php |
|
@aethelwulffe @muarachmann thanks a lot checking it out |
|
I think under interface/patient_file/summary and other places, but these file names will get you everywhere you need to get to. |
|
I want to contribute |
|
hI @GH-aditya we are actually porting to Laravel here https://github.com/LibreHealthIO/lh-ehr-laravel. Please go through this and ping me if you have any issues LibreHealthIO/lh-ehr-laravel#27 |
A) Your outreachy username : gicheha
B) Issue title : Patient ID card can be updated using executable files and scripts
C) Site affected: The patient site, on the documents section
D) Bug report date : March 10, 2019
E) OS/ browser used: Windows/Chrome
F) Which workflow module in LHEHR : “Documents” under “Patient”.
G) Steps to reproduce the bug :
●Select the Patient/Client menu item and select the finder option.
● Select a patient or search for one using the search fields.
● Once a patient is selected, select the summary option on the patients menu.
● On the summary screen, select the documents tab.
● Select patient information
● Select Patient ID card
● Choose the file to upload then click on the upload button
H) At point of bug, the expected behavior : Files of undesired format should be rejected and a prompt shown to advise the user on the appropriate file format.
I) Details of what actually happened : There was no prompt or alert box for the invalid
information, whereas the PHP errors and warnings were displayed on the screen.
J) Provide relevant screenshots :
Patient ID card file upload
k) Estimated bug Severity : The bug is critical as it is a security flaw
The text was updated successfully, but these errors were encountered: