Don't allow arrays in mid, vid, act, module parameters

2026-01-04 01:01:41 +09:00 · 2025-03-08 14:49:32 +09:00 · 2025-03-08 14:49:32 +09:00 · 609e16fd62
commit 609e16fd62
parent 445f760856
1 changed files with 11 additions and 2 deletions
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@ -1489,9 +1489,18 @@ class Context
 		}
 		foreach($val as $_key => $_val)
 		{
-			if(is_array($_val))
+			if($is_array)
 			{
-				$_val = self::_filterRequestVar($key, $_val);
+				if(in_array($key, array('mid', 'vid', 'act', 'module')))
+				{
+					self::$_instance->security_check = 'DENY ALL';
+					self::$_instance->security_check_detail = 'ERR_UNSAFE_VAR';
+					$_val = null;
+				}
+				else
+				{
+					$_val = self::_filterRequestVar($key, $_val);
+				}
 			}
 			elseif($_val = trim($_val))
 			{