Skip to content

N°8632 - Various fixes#814

Merged
eespie merged 9 commits intosupport/3.2from
issue/8632_hardening
Feb 25, 2026
Merged

N°8632 - Various fixes#814
eespie merged 9 commits intosupport/3.2from
issue/8632_hardening

Conversation

@eespie
Copy link
Member

@eespie eespie commented Feb 19, 2026
edited
Loading

Base information

https://support.combodo.com/pages/UI.php?operation=details&class=Bug&id=8632
Bug fix

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have tested all changes I made on an iTop instance
  • I have added a unit test, otherwise I have explained why I couldn't
  • Is the PR clear and detailed enough so anyone can understand digging in the code?

Checklist of things to do before PR is ready to merge

  • ...
  • ...
  • ...

@eespie eespie requested a review from Copilot February 19, 2026 13:54
@eespie eespie self-assigned this Feb 19, 2026
@CombodoApplicationsAccount CombodoApplicationsAccount added the internal Work made by Combodo label Feb 19, 2026
@eespie eespie requested a review from steffunky February 19, 2026 13:54
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses security vulnerability N°8632 by preventing path traversal attacks in the parameter file loading mechanism. The fix ensures that parameter files can only be loaded from within the iTop installation directory (APPROOT), preventing attackers from loading arbitrary files from the server's filesystem.

Changes:

  • Added security validation to LoadParamFile() to restrict file access to within APPROOT
  • Added a test case to verify the security fix works correctly

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
application/utils.inc.php Added AbsolutePath() call to validate parameter file paths are within APPROOT before loading
tests/php-unit-tests/unitary-tests/application/utilsTest.php Added test for LoadParamFile() security validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Molkobain Molkobain changed the title N°8632 - various fixes N°8632 - Various fixes Feb 23, 2026
@eespie eespie closed this Feb 23, 2026
@eespie eespie reopened this Feb 23, 2026
@eespie eespie requested a review from Copilot February 24, 2026 15:28
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

eespie and others added 3 commits February 25, 2026 10:15
@eespie
Update webservices/export.php
0f9bcfe 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@eespie
Update tests/php-unit-tests/unitary-tests/application/utilsTest.php
af520a2 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@eespie
✅ Fix CI
7d87959
@eespie eespie merged commit f82389d into support/3.2 Feb 25, 2026
@eespie eespie deleted the issue/8632_hardening branch February 25, 2026 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@steffunky steffunky steffunky approved these changes

Assignees

@eespie eespie

Labels

internal Work made by Combodo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@eespie @steffunky @CombodoApplicationsAccount