fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix REQUEST_METHOD checking not working for class types that aren't controller

Browse source 
controller 타입이 아닌 액션에서는 method를 제한하더라도 적용되지 않는 문제 수정
This commit is contained in:
Kijin Sung 2021-04-12 20:43:40 +09:00
parent 8e4bfdc1a7
commit 45efb781ea
1 changed files with 12 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

48
classes/module/ModuleHandler.class.php
View file

@ -350,26 +350,16 @@ class ModuleHandler extends Handler
$kind = 'admin'; $kind = 'admin';
} }
// check REQUEST_METHOD in controller // check REQUEST_METHOD
if($type == 'controller') if(isset($xml_info->action->{$this->act}))
{ {
$allowedMethod = $xml_info->action->{$this->act}->method; $allowedMethodList = explode('|', $xml_info->action->{$this->act}->method);
if(!in_array($_SERVER['REQUEST_METHOD'], $allowedMethodList))
if(!$allowedMethod)
{
$allowedMethodList[0] = 'POST';
}
else
{
$allowedMethodList = explode('|', strtoupper($allowedMethod));
}
if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
{ {
return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405); return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405);
} }
} }
// check CSRF for non-GET (POST, PUT, etc.) actions // check CSRF for non-GET (POST, PUT, etc.) actions
if(Context::getRequestMethod() !== 'GET' && Context::isInstalled()) if(Context::getRequestMethod() !== 'GET' && Context::isInstalled())
{ {
@ -430,9 +420,9 @@ class ModuleHandler extends Handler
} }
// 1. Look for the module with action name // 1. Look for the module with action name
if(preg_match('/^([a-z]+)([A-Z])([a-z0-9\_]+)(.*)$/', $this->act, $matches)) if(preg_match('/^[a-z]+([A-Z][a-z0-9\_]+).*$/', $this->act, $matches))
{ {
$module = strtolower($matches[2] . $matches[3]); $module = strtolower($matches[1]);
$xml_info = ModuleModel::getModuleActionXml($module); $xml_info = ModuleModel::getModuleActionXml($module);
if($xml_info->action->{$this->act} && ($this->module == 'admin' || $xml_info->action->{$this->act}->standalone != 'false')) if($xml_info->action->{$this->act} && ($this->module == 'admin' || $xml_info->action->{$this->act}->standalone != 'false'))
@ -478,27 +468,13 @@ class ModuleHandler extends Handler
} }
} }
// SECISSUE also check foward act method // SECISSUE also check REQUEST_METHOD for forwarded actions
// check REQUEST_METHOD in controller $allowedMethodList = explode('|', $xml_info->action->{$this->act}->method);
if($type == 'controller') if(!in_array($_SERVER['REQUEST_METHOD'], $allowedMethodList))
{ {
$allowedMethod = $xml_info->action->{$forward->act}->method; return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405);
if(!$allowedMethod)
{
$allowedMethodList[0] = 'POST';
}
else
{
$allowedMethodList = explode('|', strtoupper($allowedMethod));
}
if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
{
return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405);
}
} }
// check CSRF for non-GET (POST, PUT, etc.) actions // check CSRF for non-GET (POST, PUT, etc.) actions
if(Context::getRequestMethod() !== 'GET' && Context::isInstalled()) if(Context::getRequestMethod() !== 'GET' && Context::isInstalled())
{ {