From c5e976d9952bfc75b07284e7469ca4a0ec493606 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Fri, 7 Jan 2022 18:35:23 +0000
Subject: [PATCH 1/2] Add index.php files to upload directories to prevent file
 traversal

---
 post.php  | 1 +
 setup.php | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/post.php b/post.php
index c16def06..84bec7e9 100644
--- a/post.php
+++ b/post.php
@@ -1015,6 +1015,7 @@ if(isset($_POST['add_client'])){
 
     if(!file_exists("uploads/clients/$session_company_id/$client_id")) {
         mkdir("uploads/clients/$session_company_id/$client_id");
+        file_put_contents("uploads/clients/$session_company_id/$client_id/index.php", "");
     }
 
     //Add Location
diff --git a/setup.php b/setup.php
index 06406cf8..1855f73e 100644
--- a/setup.php
+++ b/setup.php
@@ -482,9 +482,13 @@ if(isset($_POST['add_company_settings'])){
   $config_aes_key = keygen();
 
   mkdir_missing("uploads/clients/$company_id");
+  file_put_contents("uploads/clients/$company_id/index.php", "");
   mkdir_missing("uploads/expenses/$company_id");
+  file_put_contents("uploads/expenses/$company_id/index.php", "");
   mkdir_missing("uploads/settings/$company_id");
+  file_put_contents("uploads/settings/$company_id/index.php", "");
   mkdir_missing("uploads/tmp/$company_id");
+  file_put_contents("uploads/tmp/$company_id/index.php", "");
 
   //Check to see if a file is attached
   if($_FILES['file']['tmp_name'] != ''){

From d0483f24721f9d1a220f22b4eac8f68ddf6b3292 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Fri, 7 Jan 2022 18:36:55 +0000
Subject: [PATCH 2/2] Allow csv file upload

---
 post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/post.php b/post.php
index 84bec7e9..2a072648 100644
--- a/post.php
+++ b/post.php
@@ -5026,7 +5026,7 @@ if(isset($_POST['add_file'])){
         $file_reference_name = md5(time() . $file_name) . '.' . $file_extension;
 
         // check if file has one of the following extensions
-        $allowed_file_extensions = array('jpg', 'gif', 'png', 'pdf', 'txt', 'doc', 'docx', 'xls', 'xlsx', 'zip', 'tar', 'gz');
+        $allowed_file_extensions = array('jpg', 'gif', 'png', 'pdf', 'txt', 'doc', 'docx', 'csv', 'xls', 'xlsx', 'zip', 'tar', 'gz');
      
         if(in_array($file_extension,$allowed_file_extensions) === false){
             $file_error = 1;