mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-04-02 01:52:10 +09:00
#331 embed whitelist를 관리페이지에서 설정할 수 있도록 추가
This commit is contained in:
bnu
parent
e3ae1b45ab
commit
43fd876dfa
6 changed files with 162 additions and 34 deletions
|
|
@ -441,6 +441,23 @@ body,table,input,textarea,select,button{font-family:나눔고딕,NanumGothic,NG,
|
|||
<dd>파일박스를 관리할 수 있습니다. 파일박스는 관리자가 재사용할 수 있는 이미지 파일을 관리하는 기능입니다. 회원 그룹 아이콘을 등록하면 이미지 파일은 파일박스에 업로드됩니다.</dd>
|
||||
</dl>
|
||||
</section>
|
||||
<section class="h3">
|
||||
<h1 id="UMAN_config_embed_filter">embed Filter</h1>
|
||||
<p><iframe> 또는 <object>, <embed> 태그에 허용 할 URL을 지정할 수 있습니다.<br>주로 domain을 포함한 URL을 지정하여 허용 URL을 지정할 수 있습니다.</p>
|
||||
<p>domain을 포함하지 않은 짧거나 단순한 단어('video', 'swf' 등)만을 지정할 경우 손쉽게 악의적인 접근을 시도할 수 있으니 주의해야 합니다.</p>
|
||||
<dl>
|
||||
<dt id="UMAN_config_embed_filter_iframe">iFrame</dt>
|
||||
<dd>
|
||||
<p><iframe> 태그에 허용 할 URL을 지정할 수 있습니다.</p>
|
||||
<p>예시 : 'http://www.youtube.com/v/...'와 같은 URL을 <iframe>에 허용 하려면 'http://www.youtube.com/v/'처럼 입력하면 됩니다.</p>
|
||||
</dd>
|
||||
<dt id="UMAN_config_embed_filter_object">object / embed</dt>
|
||||
<dd>
|
||||
<p><object>, <embed> 태그에 허용 할 URL을 지정할 수 있습니다.</p>
|
||||
<p>주로 domain을 포함한 URL을 지정하여 허용 URL을 지정할 수 있습니다.<br>예시 : 'http://www.youtube.com/v/...'와 같은 URL을 <object>, <embed>에 허용 하려면 'http://www.youtube.com/v/'처럼 입력하면 됩니다.</p>
|
||||
</dd>
|
||||
</dl>
|
||||
</section>
|
||||
<section class="h3">
|
||||
<h1 id="UMAN_advanced">고급</h1>
|
||||
<dl>
|
||||
|
|
|
|||
|
|
@ -590,37 +590,55 @@ class EmbedFilter
|
|||
|
||||
/**
|
||||
* Make white domain list cache file from xml config file.
|
||||
* @param $whitelist array
|
||||
* @return void
|
||||
*/
|
||||
function _makeWhiteDomainList()
|
||||
function _makeWhiteDomainList($whitelist = NULL)
|
||||
{
|
||||
$whiteUrlXmlFile = FileHandler::getRealPath($this->whiteUrlXmlFile);
|
||||
$whiteUrlCacheFile = FileHandler::getRealPath($this->whiteUrlCacheFile);
|
||||
|
||||
$isMake = false;
|
||||
$isMake = FALSE;
|
||||
if(!file_exists($whiteUrlCacheFile))
|
||||
{
|
||||
$isMake = true;
|
||||
$isMake = TRUE;
|
||||
}
|
||||
if(file_exists($whiteUrlCacheFile) && filemtime($whiteUrlCacheFile) < filemtime($whiteUrlXmlFile))
|
||||
{
|
||||
$isMake = true;
|
||||
$isMake = TRUE;
|
||||
}
|
||||
|
||||
if(gettype($whitelist) == 'array' && gettype($whitelist['object']) == 'array' && gettype($whitelist['iframe']) == 'array')
|
||||
{
|
||||
$isMake = FALSE;
|
||||
}
|
||||
|
||||
if(isset($whitelist) && gettype($whitelist) == 'object')
|
||||
{
|
||||
$isMake = TRUE;
|
||||
}
|
||||
|
||||
if($isMake)
|
||||
{
|
||||
$xmlBuff = FileHandler::readFile($this->whiteUrlXmlFile);
|
||||
$whiteUrlList = array();
|
||||
$whiteIframeUrlList = array();
|
||||
|
||||
$xmlParser = new XmlParser();
|
||||
$domainListObj = $xmlParser->parse($xmlBuff);
|
||||
$embedDomainList = $domainListObj->whiteurl->embed->domain;
|
||||
$iframeDomainList = $domainListObj->whiteurl->iframe->domain;
|
||||
|
||||
$buff = '<?php if(!defined("__XE__")) exit();';
|
||||
$buff .= '$whiteUrlList = array();';
|
||||
$buff .= '$whiteIframeUrlList = array();';
|
||||
if(is_array($embedDomainList))
|
||||
if(gettype($whitelist->object) == 'array' && gettype($whitelist->iframe) == 'array')
|
||||
{
|
||||
$whiteUrlList = $whitelist->object;
|
||||
$whiteIframeUrlList = $whitelist->iframe;
|
||||
}
|
||||
else
|
||||
{
|
||||
$xmlBuff = FileHandler::readFile($this->whiteUrlXmlFile);
|
||||
|
||||
$xmlParser = new XmlParser();
|
||||
$domainListObj = $xmlParser->parse($xmlBuff);
|
||||
$embedDomainList = $domainListObj->whiteurl->embed->domain;
|
||||
$iframeDomainList = $domainListObj->whiteurl->iframe->domain;
|
||||
if(!is_array($embedDomainList)) $embedDomainList = array();
|
||||
if(!is_array($iframeDomainList)) $iframeDomainList = array();
|
||||
|
||||
foreach($embedDomainList AS $key => $value)
|
||||
{
|
||||
$patternList = $value->pattern;
|
||||
|
|
@ -628,16 +646,15 @@ class EmbedFilter
|
|||
{
|
||||
foreach($patternList AS $key => $value)
|
||||
{
|
||||
$buff .= sprintf('$whiteUrlList[] = \'%s\';', $value->body);
|
||||
$whiteUrlList[] = $value->body;
|
||||
}
|
||||
}
|
||||
else
|
||||
$buff .= sprintf('$whiteUrlList[] = \'%s\';', $patternList->body);
|
||||
{
|
||||
$whiteUrlList[] = $patternList->body;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if(is_array($iframeDomainList))
|
||||
{
|
||||
foreach($iframeDomainList AS $key => $value)
|
||||
{
|
||||
$patternList = $value->pattern;
|
||||
|
|
@ -645,20 +662,39 @@ class EmbedFilter
|
|||
{
|
||||
foreach($patternList AS $key => $value)
|
||||
{
|
||||
$buff .= sprintf('$whiteIframeUrlList[] = \'%s\';', $value->body);
|
||||
$whiteIframeUrlList[] = $value->body;
|
||||
}
|
||||
}
|
||||
else
|
||||
$buff .= sprintf('$whiteIframeUrlList[] = \'%s\';', $patternList->body);
|
||||
{
|
||||
$whiteIframeUrlList[] = $patternList->body;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if(Context::getDefaultUrl())
|
||||
$db_info = Context::getDBInfo();
|
||||
|
||||
if($db_info->embed_white_object)
|
||||
{
|
||||
$buff .= sprintf('$whiteIframeUrlList[] = \'%s\';', Context::getDefaultUrl());
|
||||
$whiteUrlList = array_merge($whiteUrlList, $db_info->embed_white_object);
|
||||
}
|
||||
$buff .= '?>';
|
||||
FileHandler::writeFile($this->whiteUrlCacheFile, $buff);
|
||||
|
||||
if($db_info->embed_white_iframe)
|
||||
{
|
||||
$whiteIframeUrlList = array_merge($whiteIframeUrlList, $db_info->embed_white_iframe);
|
||||
}
|
||||
|
||||
$whiteUrlList = array_unique($whiteUrlList);
|
||||
$whiteIframeUrlList = array_unique($whiteIframeUrlList);
|
||||
asort($whiteUrlList);
|
||||
asort($whiteIframeUrlList);
|
||||
|
||||
$buff = array();
|
||||
$buff[] = '<?php if(!defined("__XE__")) exit();';
|
||||
$buff[] = '$whiteUrlList = ' . var_export($whiteUrlList, TRUE) . ';';
|
||||
$buff[] = '$whiteIframeUrlList = ' . var_export($whiteIframeUrlList, TRUE) . ';';
|
||||
|
||||
FileHandler::writeFile($this->whiteUrlCacheFile, implode(PHP_EOL, $buff));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -490,7 +490,7 @@ class adminAdminController extends admin
|
|||
$db_info->use_sitelock = ($vars->use_sitelock) ? $vars->use_sitelock : 'N';
|
||||
$db_info->sitelock_title = $vars->sitelock_title;
|
||||
$db_info->sitelock_message = $vars->sitelock_message;
|
||||
|
||||
|
||||
$whitelist = $vars->sitelock_whitelist;
|
||||
$whitelist = preg_replace("/[\r|\n|\r\n]+/",",",$whitelist);
|
||||
$whitelist = preg_replace("/\s+/","",$whitelist);
|
||||
|
|
@ -505,16 +505,15 @@ class adminAdminController extends admin
|
|||
if(!IpFilter::validate($whitelist)) {
|
||||
return new Object(-1, 'msg_invalid_ip');
|
||||
}
|
||||
|
||||
|
||||
$db_info->sitelock_whitelist = $whitelist;
|
||||
|
||||
|
||||
$oInstallController = getController('install');
|
||||
if(!$oInstallController->makeConfigFile())
|
||||
{
|
||||
return new Object(-1, 'msg_invalid_request');
|
||||
}
|
||||
|
||||
|
||||
if(!in_array(Context::getRequestMethod(), array('XMLRPC','JSON')))
|
||||
{
|
||||
$returnUrl = Context::get('success_return_url');
|
||||
|
|
@ -522,12 +521,50 @@ class adminAdminController extends admin
|
|||
header('location:' . $returnUrl);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
function procAdminUpdateEmbedWhitelist()
|
||||
{
|
||||
$vars = Context::getRequestVars();
|
||||
|
||||
$db_info = Context::getDbInfo();
|
||||
|
||||
$white_object = $vars->embed_white_object;
|
||||
$white_object = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_object);
|
||||
$white_object = preg_replace("/[\s\'\"]+/", '', $white_object);
|
||||
$white_object = explode('|@|', $white_object);
|
||||
$white_object = array_unique($white_object);
|
||||
|
||||
$white_iframe = $vars->embed_white_iframe;
|
||||
$white_iframe = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_iframe);
|
||||
$white_iframe = preg_replace("/[\s\'\"]+/", '', $white_iframe);
|
||||
$white_iframe = explode('|@|', $white_iframe);
|
||||
$white_iframe = array_unique($white_iframe);
|
||||
|
||||
$whitelist = new stdClass;
|
||||
$whitelist->object = $white_object;
|
||||
$whitelist->iframe = $white_iframe;
|
||||
|
||||
$db_info->embed_white_object = $white_object;
|
||||
$db_info->embed_white_iframe = $white_iframe;
|
||||
|
||||
$oInstallController = getController('install');
|
||||
if(!$oInstallController->makeConfigFile())
|
||||
{
|
||||
return new Object(-1, 'msg_invalid_request');
|
||||
}
|
||||
|
||||
require_once(_XE_PATH_ . 'classes/security/EmbedFilter.class.php');
|
||||
$oEmbedFilter = EmbedFilter::getInstance();
|
||||
$oEmbedFilter->_makeWhiteDomainList($whitelist);
|
||||
|
||||
if(!in_array(Context::getRequestMethod(), array('XMLRPC','JSON')))
|
||||
{
|
||||
$returnUrl = Context::get('success_return_url');
|
||||
if(!$returnUrl) $returnUrl = getNotEncodedUrl('', 'act', 'dispAdminConfigGeneral');
|
||||
header('location:' . $returnUrl);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -446,6 +446,11 @@ class adminAdminView extends admin
|
|||
Context::set('siteTitle', $config->siteTitle);
|
||||
Context::set('htmlFooter', $config->htmlFooter);
|
||||
|
||||
// embed filter
|
||||
require_once(_XE_PATH_ . 'classes/security/EmbedFilter.class.php');
|
||||
$oEmbedFilter = EmbedFilter::getInstance();
|
||||
context::set('embed_white_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList));
|
||||
context::set('embed_white_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList));
|
||||
|
||||
$columnList = array('modules.mid', 'modules.browser_title', 'sites.index_module_srl');
|
||||
$start_module = $oModuleModel->getSiteInfo(0, $columnList);
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@
|
|||
<action name="procAdminDeleteLogo" type="controller" />
|
||||
<action name="procAdminMenuReset" type="controller" />
|
||||
<action name="procAdminUpdateSitelock" type="controller" />
|
||||
<action name="procAdminUpdateEmbedWhitelist" type="controller" />
|
||||
|
||||
<action name="getAdminFTPList" type="model" />
|
||||
<action name="getAdminFTPPath" type="model" />
|
||||
|
|
|
|||
|
|
@ -131,6 +131,38 @@
|
|||
</div>
|
||||
</div>
|
||||
</section>
|
||||
|
||||
|
||||
<section class="section">
|
||||
<h1>embed Filter {$lang->subtitle_embed_whitelist} <a class="x_icon-question-sign" href="./admin/help/index.html#UMAN_config_embed_filter" target="_blank">{$lang->help}</a></h1>
|
||||
<form action="./" method="post" class="x_form-horizontal">
|
||||
<input type="hidden" name="module" value="admin" />
|
||||
<input type="hidden" name="act" value="procAdminUpdateEmbedWhitelist" />
|
||||
<input type="hidden" name="xe_validator_id" value="modules/admin/tpl/config_general/1" />
|
||||
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label" for="embed_white_iframe">iFrame <a class="x_icon-question-sign" href="./admin/help/index.html#UMAN_config_embed_filter_iframe" target="_blank">{$lang->help}</a></label>
|
||||
<div class="x_controls" style="margin-right:14px">
|
||||
<textarea name="embed_white_iframe" id="embed_white_iframe" rows="4" style="width:100%;">{$embed_white_iframe}</textarea>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label" for="embed_white_object">object/embed</label>
|
||||
<div class="x_controls" style="margin-right:14px">
|
||||
<textarea name="embed_white_object" id="embed_white_object" rows="4" cols="42" style="width:100%;">{$embed_white_object}</textarea>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="x_clearfix btnArea">
|
||||
<div class="x_pull-right">
|
||||
<button type="submit" class="x_btn x_btn-primary">{$lang->cmd_save}</button>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
</section>
|
||||
|
||||
|
||||
<section class="section collapsed">
|
||||
<h1>{$lang->subtitle_advanced}</h1>
|
||||
<form action="./" method="post" enctype="multipart/form-data" class="x_form-horizontal">
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue