From 421a1fde100ae372af4e547736993d3271684154 Mon Sep 17 00:00:00 2001 From: YJSoft Date: Thu, 15 Oct 2015 21:20:08 +0900 Subject: [PATCH] =?UTF-8?q?SECISSUE=20=ED=97=88=EC=9A=A9=EB=90=98=EC=A7=80?= =?UTF-8?q?=20=EC=95=8A=EC=9D=80=20=EB=B0=A9=EC=8B=9D=EC=9C=BC=EB=A1=9C=20?= =?UTF-8?q?act=EB=A5=BC=20=EC=8B=A4=ED=96=89=ED=95=A0=20=EC=88=98=20?= =?UTF-8?q?=EC=9E=88=EB=8A=94=20=EB=AC=B8=EC=A0=9C=20=EA=B3=A0=EC=B9=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- classes/module/ModuleHandler.class.php | 30 ++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/classes/module/ModuleHandler.class.php b/classes/module/ModuleHandler.class.php index 9fadc71aa..a1a21c1b4 100644 --- a/classes/module/ModuleHandler.class.php +++ b/classes/module/ModuleHandler.class.php @@ -525,6 +525,34 @@ class ModuleHandler extends Handler $tpl_path = $oModule->getTemplatePath(); $orig_module = $oModule; + $xml_info = $oModuleModel->getModuleActionXml($forward->module); + + // SECISSUE also check foward act method + // check REQUEST_METHOD in controller + if($type == 'controller') + { + $allowedMethod = $xml_info->action->{$forward->act}->method; + + if(!$allowedMethod) + { + $allowedMethodList[0] = 'POST'; + } + else + { + $allowedMethodList = explode('|', strtoupper($allowedMethod)); + } + + if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList)) + { + $this->error = "msg_invalid_request"; + $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); + $oMessageObject->setError(-1); + $oMessageObject->setMessage($this->error); + $oMessageObject->dispMessage(); + return $oMessageObject; + } + } + if($type == "view" && Mobile::isFromMobilePhone()) { $orig_type = "view"; @@ -557,8 +585,6 @@ class ModuleHandler extends Handler return $oMessageObject; } - $xml_info = $oModuleModel->getModuleActionXml($forward->module); - if($this->module == "admin" && $type == "view") { if($logged_info->is_admin == 'Y')