Fix XEVE-18-006

classes/context/Context.class.php

@@ -295,13 +295,14 @@ class Context
 
 		// Load language support.
 		$enabled_langs = self::loadLangSelected();
+		$set_lang_cookie = false;
 		self::set('lang_supported', $enabled_langs);
 		
 		if($lang_type = self::get('l'))
 		{
 			if($_COOKIE['lang_type'] !== $lang_type)
 			{
-				setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies'));
+				$set_lang_cookie = true;
 			}
 		}
 		elseif($_COOKIE['lang_type'])
@@ -317,12 +318,18 @@ class Context
 					if(!strncasecmp($lang_code, $_SERVER['HTTP_ACCEPT_LANGUAGE'], strlen($lang_code)))
 					{
 						$lang_type = $lang_code;
-						setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies'));
+						$set_lang_cookie = true;
 					}
 				}
 			}
 		}
 		
+		$lang_type = preg_replace('/[^a-zA-Z0-9_-]/', '', $lang_type);
+		if ($set_lang_cookie)
+		{
+			setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies'));
+		}
+		
 		if(!$lang_type || !isset($enabled_langs[$lang_type]))
 		{
 			if($site_module_info->settings->language)
@@ -887,6 +894,7 @@ class Context
 		{
 			self::$_instance->db_info = new stdClass;
 		}
+		
 		self::$_instance->db_info->lang_type = $lang_type;
 		self::$_instance->lang_type = $lang_type;
 		self::set('lang_type', $lang_type);

modules/comment/comment.controller.php

@@ -393,6 +393,12 @@ class commentController extends comment
 		// Remove manual member info to prevent forgery. This variable can be set by triggers only.
 		unset($obj->manual_member_info);
 		
+		// Sanitize variables
+		$obj->comment_srl = intval($obj->comment_srl);
+		$obj->module_srl = intval($obj->module_srl);
+		$obj->document_srl = intval($obj->document_srl);
+		$obj->parent_srl = intval($obj->parent_srl);
+		
 		// call a trigger (before)
 		$output = ModuleHandler::triggerCall('comment.insertComment', 'before', $obj);
 		if(!$output->toBool())
@@ -756,7 +762,13 @@ class commentController extends comment
 
 		// Remove manual member info to prevent forgery. This variable can be set by triggers only.
 		unset($obj->manual_member_info);
-
+		
+		// Sanitize variables
+		$obj->comment_srl = intval($obj->comment_srl);
+		$obj->module_srl = intval($obj->module_srl);
+		$obj->document_srl = intval($obj->document_srl);
+		$obj->parent_srl = intval($obj->parent_srl);
+		
 		// call a trigger (before)
 		$output = ModuleHandler::triggerCall('comment.updateComment', 'before', $obj);
 		if(!$output->toBool())

modules/document/document.admin.controller.php

@@ -412,8 +412,9 @@ class documentAdminController extends document
 		}
 		if(!is_array($document_srl_list))
 		{
-			$document_srl_list = array_map('intval', array_map('trim', explode(',', $document_srl_list)));
+			$document_srl_list = array_map('trim', explode(',', $document_srl_list));
 		}
+		$document_srl_list = array_map('intval', $document_srl_list);
 		
 		$obj = new stdClass;
 		$obj->document_srls = $document_srl_list;
@@ -508,8 +509,9 @@ class documentAdminController extends document
 		}
 		if(!is_array($document_srl_list))
 		{
-			$document_srl_list = array_map('intval', array_map('trim', explode(',', $document_srl_list)));
+			$document_srl_list = array_map('trim', explode(',', $document_srl_list));
 		}
+		$document_srl_list = array_map('intval', $document_srl_list);
 		
 		$obj = new stdClass;
 		$obj->document_srls = $document_srl_list;
@@ -601,7 +603,7 @@ class documentAdminController extends document
 	{
 		$args = new stdClass;
 		$args->page = 0;
-		$args->module_srl = $module_srl;
+		$args->module_srl = intval($module_srl);
 		$document_list = executeQueryArray('document.getDocumentList', $args, array('document_srl'))->data;
 		
 		// delete documents

modules/document/document.controller.php

@@ -399,6 +399,11 @@ class documentController extends document
 		if(!$isRestore) $obj->ipaddress = $_SERVER['REMOTE_ADDR'];
 		$obj->isRestore = $isRestore ? true : false;
 		
+		// Sanitize variables
+		$obj->document_srl = intval($obj->document_srl);
+		$obj->category_srl = intval($obj->category_srl);
+		$obj->module_srl = intval($obj->module_srl);
+		
 		// Default Status
 		if($obj->status)
 		{
@@ -606,7 +611,15 @@ class documentController extends document
 			return new BaseObject(-1, 'msg_security_violation');
 		}
 		
-		if(!$source_obj->document_srl || !$obj->document_srl) return new BaseObject(-1, 'msg_invalied_request');
+		if(!$source_obj->document_srl || !$obj->document_srl)
+		{
+			return new BaseObject(-1, 'msg_invalied_request');
+		}
+		
+		// Sanitize variables
+		$obj->document_srl = intval($obj->document_srl);
+		$obj->category_srl = intval($obj->category_srl);
+		$obj->module_srl = intval($obj->module_srl);
 		
 		// Default Status
 		if($obj->status)
@@ -2234,6 +2247,7 @@ class documentController extends document
 	function makeCategoryFile($module_srl)
 	{
 		// Return if there is no information you need for creating a cache file
+		$module_srl = intval($module_srl);
 		if(!$module_srl) return false;
 		// Get module information (to obtain mid)
 		$oModuleModel = getModel('module');
@@ -2243,8 +2257,8 @@ class documentController extends document
 
 		if(!is_dir('./files/cache/document_category')) FileHandler::makeDir('./files/cache/document_category');
 		// Cache file's name
-		$xml_file = sprintf("./files/cache/document_category/%s.xml.php", $module_srl);
-		$php_file = sprintf("./files/cache/document_category/%s.php", $module_srl);
+		$xml_file = sprintf("./files/cache/document_category/%d.xml.php", $module_srl);
+		$php_file = sprintf("./files/cache/document_category/%d.php", $module_srl);
 		// Get a category list
 		$args = new stdClass();
 		$args->module_srl = $module_srl;
@@ -2628,7 +2642,7 @@ class documentController extends document
 		$obj->document_list = array();
 		$obj->document_srl_list = array();
 		$obj->target_module_srl = intval(Context::get('module_srl') ?: Context::get('target_module'));
-		$obj->target_category_srl = Context::get('target_category');
+		$obj->target_category_srl = intval(Context::get('target_category'));
 		$obj->manager_message = Context::get('message_content') ? nl2br(escape(strip_tags(Context::get('message_content')))) : '';
 		$obj->send_message = $obj->manager_message || Context::get('send_default_message') == 'Y';
 		$obj->return_message = '';

modules/document/document.model.php

@@ -671,7 +671,8 @@ class documentModel extends document
 	function getCategoryList($module_srl, $columnList = array())
 	{
 		// Category of the target module file swollen
-		$filename = sprintf("%sfiles/cache/document_category/%s.php", _XE_PATH_, $module_srl);
+		$module_srl = intval($module_srl);
+		$filename = sprintf("%sfiles/cache/document_category/%d.php", _XE_PATH_, $module_srl);
 		// If the target file to the cache file regeneration category
 		if(!file_exists($filename))
 		{
@@ -771,7 +772,8 @@ class documentModel extends document
 	 */
 	function getCategoryXmlFile($module_srl)
 	{
-		$xml_file = sprintf('files/cache/document_category/%s.xml.php',$module_srl);
+		$module_srl = intval($module_srl);
+		$xml_file = sprintf('files/cache/document_category/%d.xml.php',$module_srl);
 		if(!file_exists($xml_file))
 		{
 			$oDocumentController = getController('document');
@@ -787,7 +789,8 @@ class documentModel extends document
 	 */
 	function getCategoryPhpFile($module_srl)
 	{
-		$php_file = sprintf('files/cache/document_category/%s.php',$module_srl);
+		$module_srl = intval($module_srl);
+		$php_file = sprintf('files/cache/document_category/%d.php',$module_srl);
 		if(!file_exists($php_file))
 		{
 			$oDocumentController = getController('document');
@@ -856,7 +859,7 @@ class documentModel extends document
 	function getDocumentCategories()
 	{
 		if(!Context::get('is_logged')) throw new Rhymix\Framework\Exceptions\NotPermitted;
-		$module_srl = Context::get('module_srl');
+		$module_srl = intval(Context::get('module_srl'));
 		$categories= $this->getCategoryList($module_srl);
 		$lang = Context::get('lang');
 		// No additional category

modules/editor/editor.controller.php

@@ -523,7 +523,7 @@ class editorController extends editor
 		if($filter_enabled)
 		{
 			$cache_file = $oEditorModel->getCacheFile($filter_enabled, $site_srl);
-			$buff = sprintf('<?php if(!defined("__XE__")) exit(); $component_list = unserialize("%s"); ?>', str_replace('"','\\"',serialize($component_list)));
+			$buff = sprintf('<?php if(!defined("__XE__")) exit(); $component_list = unserialize(%s); ?>', var_export(serialize($component_list), true));
 			FileHandler::writeFile($cache_file, $buff);
 			return $component_list;
 		}
@@ -546,7 +546,7 @@ class editorController extends editor
 		}
 
 		$cache_file = $oEditorModel->getCacheFile($filter_enabled, $site_srl);
-		$buff = sprintf('<?php if(!defined("__XE__")) exit(); $component_list = unserialize("%s"); ?>', str_replace('"','\\"',serialize($component_list)));
+		$buff = sprintf('<?php if(!defined("__XE__")) exit(); $component_list = unserialize(%s); ?>', var_export(serialize($component_list), true));
 		FileHandler::writeFile($cache_file, $buff);
 
 		return $component_list;

modules/editor/editor.model.php

@@ -526,7 +526,7 @@ class editorModel extends editor
 		$lang = Context::getLangType();
 		$cache_path = _XE_PATH_.'files/cache/editor/cache/';
 		FileHandler::makeDir($cache_path);
-		$cache_file = $cache_path.'component_list.' . $lang .'.';
+		$cache_file = $cache_path . 'component_list.' . $lang .'.';
 		if($filter_enabled) $cache_file .= 'filter.';
 		if($site_srl) $cache_file .= $site_srl.'.';
 		$cache_file .= 'php';