From 609e16fd62ad1648f97a587c35c0f93a70cc08a4 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 8 Mar 2025 14:49:32 +0900
Subject: [PATCH] Don't allow arrays in mid, vid, act, module parameters

---
 classes/context/Context.class.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/classes/context/Context.class.php b/classes/context/Context.class.php
index 8acedebf7..9dde027fd 100644
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@@ -1489,9 +1489,18 @@ class Context
 		}
 		foreach($val as $_key => $_val)
 		{
-			if(is_array($_val))
+			if($is_array)
 			{
-				$_val = self::_filterRequestVar($key, $_val);
+				if(in_array($key, array('mid', 'vid', 'act', 'module')))
+				{
+					self::$_instance->security_check = 'DENY ALL';
+					self::$_instance->security_check_detail = 'ERR_UNSAFE_VAR';
+					$_val = null;
+				}
+				else
+				{
+					$_val = self::_filterRequestVar($key, $_val);
+				}
 			}
 			elseif($_val = trim($_val))
 			{