fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

RVE-2024-2 prevent loading cache file as external page

Browse source
This commit is contained in:
Kijin Sung 2024-01-20 00:52:34 +09:00
parent 40b3dcd5f0
commit 1ef2a41971
3 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/page/lang/en.php
View file

@ -26,3 +26,6 @@ $lang->opage_proc_php = 'Execute PHP code';
$lang->opage_proc_tpl = 'Parse as Rhymix template'; $lang->opage_proc_tpl = 'Parse as Rhymix template';
$lang->page_management = 'Manage of page'; $lang->page_management = 'Manage of page';
$lang->page_delete_warning = 'If you delete a page, the files of the page will be removed also.'; $lang->page_delete_warning = 'If you delete a page, the files of the page will be removed also.';
$lang->msg_not_selected_page = 'Page not selected.';
$lang->msg_invalid_opage_pc_path = 'Invalid path for the external document for PC.';
$lang->msg_invalid_opage_mobile_path = 'Invalid path for the external document for Mobile.';

2
modules/page/lang/ko.php
View file

@ -27,3 +27,5 @@ $lang->opage_proc_tpl = '템플릿 해석';
$lang->page_management = '페이지 관리'; $lang->page_management = '페이지 관리';
$lang->page_delete_warning = '페이지를 삭제할 때 파일도 함께 삭제합니다'; $lang->page_delete_warning = '페이지를 삭제할 때 파일도 함께 삭제합니다';
$lang->msg_not_selected_page = '선택한 페이지가 없습니다.'; $lang->msg_not_selected_page = '선택한 페이지가 없습니다.';
$lang->msg_invalid_opage_pc_path = '사용할 수 없는 PC용 외부 문서 경로입니다.';
$lang->msg_invalid_opage_mobile_path = '사용할 수 없는 모바일용 외부 문서 경로입니다.';

20
modules/page/page.admin.controller.php
View file

@ -19,15 +19,26 @@ class PageAdminController extends Page
*/ */
function procPageAdminInsert() function procPageAdminInsert()
{ {
// Create model/controller object of the module module
$oModuleController = getController('module');
$oModuleModel = getModel('module');
// Set board module // Set board module
$args = Context::getRequestVars(); $args = Context::getRequestVars();
$args->module = 'page'; $args->module = 'page';
$args->mid = $args->page_name; //because if mid is empty in context, set start page mid $args->mid = $args->page_name; //because if mid is empty in context, set start page mid
$args->path = (!$args->path) ? '' : $args->path; $args->path = (!$args->path) ? '' : $args->path;
$args->mpath = (!$args->mpath) ? '' : $args->mpath; $args->mpath = (!$args->mpath) ? '' : $args->mpath;
if (preg_match('!\bfiles/cache/!i', $args->path))
{
$this->setError(-1);
$this->setMessage('msg_invalid_opage_pc_path');
$this->setRedirectUrl(Context::get('success_return_url'));
return;
}
if (preg_match('!\bfiles/cache/!i', $args->mpath))
{
$this->setError(-1);
$this->setMessage('msg_invalid_opage_mobile_path');
$this->setRedirectUrl(Context::get('success_return_url'));
return;
}
$args->opage_proc_php = $args->opage_proc_php ?? 'N'; $args->opage_proc_php = $args->opage_proc_php ?? 'N';
$args->opage_proc_tpl = $args->opage_proc_tpl ?? 'N'; $args->opage_proc_tpl = $args->opage_proc_tpl ?? 'N';
if ($args->opage_proc_tpl === 'Y') if ($args->opage_proc_tpl === 'Y')
@ -46,7 +57,7 @@ class PageAdminController extends Page
if($args->module_srl) if($args->module_srl)
{ {
$columnList = array('module_srl'); $columnList = array('module_srl');
$module_info = $oModuleModel->getModuleInfoByModuleSrl($args->module_srl, $columnList); $module_info = ModuleModel::getModuleInfoByModuleSrl($args->module_srl, $columnList);
if($module_info->module_srl != $args->module_srl) if($module_info->module_srl != $args->module_srl)
{ {
unset($args->module_srl); unset($args->module_srl);
@ -86,6 +97,7 @@ class PageAdminController extends Page
} }
} }
// Insert/update depending on module_srl // Insert/update depending on module_srl
$oModuleController = ModuleController::getInstance();
if(!$args->module_srl) if(!$args->module_srl)
{ {
$output = $oModuleController->insertModule($args); $output = $oModuleController->insertModule($args);