fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-10 12:32:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix RVE-2023-6 (procFileDelete, procFileSetCoverImage)

Browse source
This commit is contained in:
Kijin Sung 2023-11-01 22:32:47 +09:00
parent 613518aa28
commit 4a9a89b299
1 changed files with 34 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

48
modules/file/file.controller.php
View file

@ -594,10 +594,17 @@ class FileController extends File
$file_srl = Context::get('file_srl'); $file_srl = Context::get('file_srl');
$file_srls = Context::get('file_srls'); $file_srls = Context::get('file_srls');
if($file_srls) $file_srl = $file_srls; if($file_srls) $file_srl = $file_srls;
// Exit a session if there is neither upload permission nor information
if(!$_SESSION['upload_info'][$editor_sequence]->enabled) exit();
// Exit a session if there is neither upload permission nor information
if (!$_SESSION['upload_info'][$editor_sequence]->enabled)
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl; $upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
if (!$upload_target_srl)
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
$srls = explode(',',$file_srl); $srls = explode(',',$file_srl);
if(!count($srls)) return; if(!count($srls)) return;
@ -613,9 +620,9 @@ class FileController extends File
if(!$output->toBool()) continue; if(!$output->toBool()) continue;
$file_info = $output->data; $file_info = $output->data;
if(!$file_info) continue; if(!$file_info || $file_info->upload_target_srl != $upload_target_srl) continue;
if(!FileModel::isDeletable($file_info)) continue; if(!FileModel::isDeletable($file_info)) continue;
if($upload_target_srl && $file_srl) $output = $this->deleteFile($file_srl); $output = $this->deleteFile($file_srl);
} }
} }
@ -1752,17 +1759,32 @@ class FileController extends File
public function procFileSetCoverImage() public function procFileSetCoverImage()
{ {
$vars = Context::getRequestVars(); $vars = Context::getRequestVars();
$logged_info = Context::get('logged_info');
if(!$vars->editor_sequence) throw new Rhymix\Framework\Exceptions\InvalidRequest; // Exit a session if there is neither upload permission nor information
$editor_sequence = $vars->editor_sequence ?? 0;
$upload_target_srl = $_SESSION['upload_info'][$vars->editor_sequence]->upload_target_srl; if (!$vars->editor_sequence)
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if (!$_SESSION['upload_info'][$editor_sequence]->enabled)
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
if (!$upload_target_srl)
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
$file_info = FileModel::getFile($vars->file_srl); $file_info = FileModel::getFile($vars->file_srl);
if (!$file_info || $file_info->upload_target_srl != $upload_target_srl)
if(!$file_info) throw new Rhymix\Framework\Exceptions\TargetNotFound; {
throw new Rhymix\Framework\Exceptions\TargetNotFound;
if(!$this->manager && !$file_info->member_srl === $logged_info->member_srl) throw new Rhymix\Framework\Exceptions\NotPermitted; }
if(!$this->grant->manager && $file_info->member_srl != $this->user->member_srl)
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$args = new stdClass(); $args = new stdClass();
$args->file_srl = $vars->file_srl; $args->file_srl = $vars->file_srl;
@ -1781,7 +1803,6 @@ class FileController extends File
if($file_info->cover_image != 'Y') if($file_info->cover_image != 'Y')
{ {
$args->cover_image = 'Y'; $args->cover_image = 'Y';
$output = executeQuery('file.updateCoverImage', $args); $output = executeQuery('file.updateCoverImage', $args);
if(!$output->toBool()) if(!$output->toBool())
@ -1789,7 +1810,6 @@ class FileController extends File
$oDB->rollback(); $oDB->rollback();
return $output; return $output;
} }
} }
$oDB->commit(); $oDB->commit();