fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-05 09:41:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix RVE-2023-6 (procFileUpload, procFileIframeUpload)

Browse source
This commit is contained in:
Kijin Sung 2023-11-01 22:23:06 +09:00
parent 720193d9b9
commit 613518aa28
1 changed files with 23 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

34
modules/file/file.controller.php
View file

@ -42,10 +42,11 @@ class FileController extends File
} }
// Get upload_target_srl // Get upload_target_srl
$upload_target_srl = intval(Context::get('uploadTargetSrl')) ?: intval(Context::get('upload_target_srl')); $upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
if (!$upload_target_srl) $submitted_upload_target_srl = intval(Context::get('uploadTargetSrl')) ?: intval(Context::get('upload_target_srl'));
if ($submitted_upload_target_srl && $submitted_upload_target_srl !== intval($upload_target_srl))
{ {
$upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl; throw new Rhymix\Framework\Exceptions\TargetNotFound;
} }
if (!$upload_target_srl) if (!$upload_target_srl)
{ {
@ -173,21 +174,32 @@ class FileController extends File
$editor_sequence = Context::get('editor_sequence'); $editor_sequence = Context::get('editor_sequence');
$callback = Context::get('callback'); $callback = Context::get('callback');
$module_srl = $this->module_srl; $module_srl = $this->module_srl;
$upload_target_srl = intval(Context::get('uploadTargetSrl'));
if(!$upload_target_srl) $upload_target_srl = intval(Context::get('upload_target_srl'));
// Exit a session if there is neither upload permission nor information // Exit a session if there is neither upload permission nor information
if(!$_SESSION['upload_info'][$editor_sequence]->enabled) exit(); if(!$_SESSION['upload_info'][$editor_sequence]->enabled)
// Extract from session information if upload_target_srl is not specified {
if(!$upload_target_srl) $upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl; throw new Rhymix\Framework\Exceptions\NotPermitted;
// Create if upload_target_srl is not defined in the session information }
if(!$upload_target_srl) $_SESSION['upload_info'][$editor_sequence]->upload_target_srl = $upload_target_srl = getNextSequence();
// Get upload_target_srl
$upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
$submitted_upload_target_srl = intval(Context::get('uploadTargetSrl')) ?: intval(Context::get('upload_target_srl'));
if ($submitted_upload_target_srl && $submitted_upload_target_srl !== intval($upload_target_srl))
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
if (!$upload_target_srl)
{
$upload_target_srl = getNextSequence();
$_SESSION['upload_info'][$editor_sequence]->upload_target_srl = $upload_target_srl;
}
// Delete and then attempt to re-upload if file_srl is requested // Delete and then attempt to re-upload if file_srl is requested
$file_srl = Context::get('file_srl'); $file_srl = Context::get('file_srl');
if($file_srl) if($file_srl)
{ {
$file_info = FileModel::getFile($file_srl); $file_info = FileModel::getFile($file_srl);
if($file_info->file_srl == $file_srl && FileModel::isDeletable($file_info)) if($file_info->file_srl == $file_srl && $file_info->upload_target_srl == $upload_target_srl && FileModel::isDeletable($file_info))
{ {
$this->deleteFile($file_srl); $this->deleteFile($file_srl);
} }