Remove _rx_ajax_compat and _rx_csrf_token from request vars

JSON/XMLRPC 호환성 확보와 CSRF 공격 방지를 위해 사용되는 이 변수들이 Context::getRequestVars()에 포함되어 불필요하게 여기저기 저장되거나 URL에 포함되어 나오는 문제를 방지합니다.
2026-05-11 04:52:14 +09:00 · 2017-07-02 21:46:50 +09:00 · 2017-07-02 21:46:50 +09:00 · 5ae15f4b66
commit 5ae15f4b66
parent 107765a19d
2 changed files with 16 additions and 8 deletions
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@ -176,7 +176,15 @@ class Context
 	/**
 	 * Reserved words cache
 	 */
-	private static $_reserved = null;
+	private static $_reserved_words = null;
 	/**
 	 * Reserved keys cache
 	 */
 	private static $_reserved_keys = array(
 		'_rx_ajax_compat' => true,
 		'_rx_csrf_token' => true,
 	);
 	/**
 	 * Singleton instance
@ -1157,7 +1165,7 @@ class Context
 		$requestMethod = self::getRequestMethod();
 		foreach($_REQUEST as $key => $val)
 		{
-			if($val === '' || self::get($key))
+			if($val === '' || isset(self::$_reserved_keys[$key]) || self::get($key))
 			{
 				continue;
 			}
@ -2510,16 +2518,16 @@ class Context
 	 */
 	public static function isReservedWord($word)
 	{
-		if (self::$_reserved === null)
+		if (self::$_reserved_words === null)
 		{
-			self::$_reserved = (include RX_BASEDIR . 'common/defaults/reserved.php');
+			self::$_reserved_words = (include RX_BASEDIR . 'common/defaults/reserved.php');
-			if (!is_array(self::$_reserved))
+			if (!is_array(self::$_reserved_words))
 			{
-				self::$_reserved = array();
+				self::$_reserved_words = array();
 			}
 		}
-		return isset(self::$_reserved[$word]);
+		return isset(self::$_reserved_words[$word]);
 	}
 	/**
--- a/common/framework/security.php
+++ b/common/framework/security.php
@ -304,7 +304,7 @@ class Security
 		{
 			return Session::verifyToken($token);
 		}
-		elseif ($token = \Context::get('_rx_csrf_token'))
+		elseif ($token = $_REQUEST['_rx_csrf_token'])
 		{
 			return Session::verifyToken($token);
 		}