lh-ehr icon indicating copy to clipboard operation
lh-ehr copied to clipboard

Published 20 hours ago verified publisher icon LibreHealthIO

Any File format can be uploaded on the Patient ID Card

Open Gicheha opened this issue 5 years ago • 13 comments

A) Your outreachy username : gicheha

B) Issue title : Patient ID card can be updated using executable files and scripts

C) Site affected: The patient site, on the documents section

D) Bug report date : March 10, 2019

E) OS/ browser used: Windows/Chrome

F) Which workflow module in LHEHR : “Documents” under “Patient”.

G) Steps to reproduce the bug : ●Select the Patient/Client menu item and select the finder option. ● Select a patient or search for one using the search fields. ● Once a patient is selected, select the summary option on the patients menu. ● On the summary screen, select the documents tab. ● Select patient information ● Select Patient ID card ● Choose the file to upload then click on the upload button

H) At point of bug, the expected behavior : Files of undesired format should be rejected and a prompt shown to advise the user on the appropriate file format.

I) Details of what actually happened : There was no prompt or alert box for the invalid information, whereas the PHP errors and warnings were displayed on the screen.

J) Provide relevant screenshots : Patient ID card file upload excecutable_file

k) Estimated bug Severity : The bug is critical as it is a security flaw

Gicheha avatar Mar 10 '19 15:03 Gicheha

Yes we would not want any kind of file be uploaded imagine some freaking .bat file up there and running a cron job. U can validate by size and extensions

On Sun, Mar 10, 2019, 16:45 Gicheha [email protected] wrote:

A) Your outreachy username : gicheha

**B) Issue title : ** Patient ID card can be updated using executable files and scripts

C) Site affected: The patient site, on the documents section

D) Bug report date : March 10, 2019

E) OS/ browser used: Windows/Chrome

F) Which workflow module in LHEHR : “Documents” under “Patient”.

G) Steps to reproduce the bug : ●Select the Patient/Client menu item and select the finder option. ● Select a patient or search for one using the search fields. ● Once a patient is selected, select the summary option on the patients menu. ● On the summary screen, select the documents tab. ● Select patient information ● Select Patient ID card ● Choose the file to upload then click on the upload button

H) At point of bug, the expected behavior : Files of undesired format should be rejected and a prompt shown to advise the user on the appropriate file format.

I) Details of what actually happened : There was no prompt or alert box for the invalid information, whereas the PHP errors and warnings were displayed on the screen.

J) Provide relevant screenshots : Patient ID card file upload [image: excecutable_file] https://user-images.githubusercontent.com/9331796/54087407-a45ea480-4363-11e9-9e23-ebd2a684aeaa.PNG

k) Estimated bug Severity : The bug is critical as it is a security flaw

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LibreHealthIO/lh-ehr/issues/1428, or mute the thread https://github.com/notifications/unsubscribe-auth/APl-XlOXB8yBeJ2m5_ct2uiQCM0wq3UCks5vVSirgaJpZM4bnVa7 .

muarachmann avatar Mar 10 '19 17:03 muarachmann

Thanks...I am on it

Gicheha avatar Mar 10 '19 18:03 Gicheha

@muarachmann Kindly assist with the location of the affected files, I have only managed to find the PHP script for uploading the Profile photo...the file explorer page is Javascript generated making it a bit tricky to trace the files...Thanks in advance

Gicheha avatar Mar 11 '19 19:03 Gicheha

@Gicheha what files have you found?

muarachmann avatar Mar 12 '19 07:03 muarachmann

@muarachmann I think we are not getting each other...I mean the files containing the code that uploads the patient docs, those are the files I cannot get

Gicheha avatar Mar 12 '19 07:03 Gicheha

@aethelwulffe could you please help here thanks

muarachmann avatar Mar 12 '19 16:03 muarachmann

I will try to hunt them down. A good little project would be to gather up all the functions and put them in a monolithic feature directory under /modules. I think that this still uses the old document tree asset.

aethelwulffe avatar Mar 12 '19 16:03 aethelwulffe

LibreEHR\controllers\C_Document.class.php:

aethelwulffe avatar Mar 12 '19 16:03 aethelwulffe

LibreEHR\interface\patient_file\upload_dialog.php LibreEHR\library\classes\Document.class.php:

aethelwulffe avatar Mar 12 '19 16:03 aethelwulffe

@aethelwulffe @muarachmann thanks a lot checking it out

Gicheha avatar Mar 12 '19 16:03 Gicheha

I think under interface/patient_file/summary and other places, but these file names will get you everywhere you need to get to.

aethelwulffe avatar Mar 12 '19 16:03 aethelwulffe

I want to contribute

GH-aditya avatar Jan 31 '23 11:01 GH-aditya

hI @GH-aditya we are actually porting to Laravel here https://github.com/LibreHealthIO/lh-ehr-laravel. Please go through this and ping me if you have any issues https://github.com/LibreHealthIO/lh-ehr-laravel/issues/27

muarachmann avatar Jan 31 '23 12:01 muarachmann