fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-05 17:51:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

SECISSUE 허용되지 않은 방식으로 act를 실행할 수 있는 문제 고침

Browse source
This commit is contained in:
YJSoft 2015-10-15 21:20:08 +09:00
parent 0326a8b5d1
commit 421a1fde10
1 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

30
classes/module/ModuleHandler.class.php
View file

@ -525,6 +525,34 @@ class ModuleHandler extends Handler
$tpl_path = $oModule->getTemplatePath();
$orig_module = $oModule;
$xml_info = $oModuleModel->getModuleActionXml($forward->module);
// SECISSUE also check foward act method
// check REQUEST_METHOD in controller
if($type == 'controller')
{
$allowedMethod = $xml_info->action->{$forward->act}->method;
if(!$allowedMethod)
{
$allowedMethodList[0] = 'POST';
}
else
{
$allowedMethodList = explode('|', strtoupper($allowedMethod));
}
if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
{
$this->error = "msg_invalid_request";
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage();
return $oMessageObject;
}
}
if($type == "view" && Mobile::isFromMobilePhone())
{
$orig_type = "view";
@ -557,8 +585,6 @@ class ModuleHandler extends Handler
return $oMessageObject;
}
$xml_info = $oModuleModel->getModuleActionXml($forward->module);
if($this->module == "admin" && $type == "view")
{
if($logged_info->is_admin == 'Y')