mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-03 16:51:40 +09:00
Merge branch 'security/rve-2023-3-4' into develop
This commit is contained in:
Kijin Sung
commit
71e4118bd5
3 changed files with 99 additions and 130 deletions
|
|
@ -31,6 +31,7 @@ class BoardController extends Board
|
|||
$obj = Context::getRequestVars();
|
||||
$obj->module_srl = $this->module_srl;
|
||||
$obj->commentStatus = $obj->comment_status;
|
||||
unset($obj->extra_vars);
|
||||
|
||||
// Remove disallowed Unicode symbols.
|
||||
if ($this->module_info->filter_specialchars !== 'N')
|
||||
|
|
@ -145,6 +146,11 @@ class BoardController extends Board
|
|||
$obj->notify_message = 'N';
|
||||
$obj->email_address = $obj->homepage = $obj->user_id = '';
|
||||
$obj->user_name = $obj->nick_name = $anonymous_name;
|
||||
$obj->member_srl = $logged_info->member_srl * -1;
|
||||
if ($oDocument->isExists())
|
||||
{
|
||||
$oDocument->add('member_srl', $obj->member_srl);
|
||||
}
|
||||
}
|
||||
|
||||
// Update if the document already exists.
|
||||
|
|
@ -168,13 +174,6 @@ class BoardController extends Board
|
|||
// if document status is temp
|
||||
if($oDocument->get('status') == DocumentModel::getConfigStatus('temp'))
|
||||
{
|
||||
// if use anonymous, set the member_srl to a negative number
|
||||
if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y'))
|
||||
{
|
||||
$obj->member_srl = abs($oDocument->get('member_srl')) * -1;
|
||||
$oDocument->add('member_srl', $obj->member_srl);
|
||||
}
|
||||
|
||||
// Update list order, date
|
||||
$obj->last_update = $obj->regdate = date('YmdHis');
|
||||
$obj->update_order = $obj->list_order = (getNextSequence() * -1);
|
||||
|
|
@ -229,12 +228,6 @@ class BoardController extends Board
|
|||
// Insert a new document.
|
||||
else
|
||||
{
|
||||
// if use anonymous, set the member_srl to a negative number
|
||||
if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y'))
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl * -1;
|
||||
}
|
||||
|
||||
// Update list order if document_srl is already assigned
|
||||
if ($obj->document_srl)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -559,15 +559,37 @@ class CommentController extends Comment
|
|||
}
|
||||
$obj->__isupdate = FALSE;
|
||||
|
||||
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
|
||||
unset($obj->manual_member_info);
|
||||
|
||||
// Sanitize variables
|
||||
$obj->comment_srl = intval($obj->comment_srl);
|
||||
$obj->module_srl = intval($obj->module_srl);
|
||||
$obj->document_srl = intval($obj->document_srl);
|
||||
$obj->parent_srl = intval($obj->parent_srl);
|
||||
|
||||
// Only managers can customize dates.
|
||||
$grant = Context::get('grant');
|
||||
if(!$grant->manager)
|
||||
{
|
||||
unset($obj->regdate);
|
||||
unset($obj->last_update);
|
||||
}
|
||||
|
||||
// Add the current user's info, unless it is a guest post.
|
||||
$logged_info = Context::get('logged_info');
|
||||
if($logged_info->member_srl && !$manual_inserted)
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl;
|
||||
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
|
||||
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
|
||||
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
|
||||
$obj->email_address = $logged_info->email_address;
|
||||
$obj->homepage = $logged_info->homepage;
|
||||
}
|
||||
if(!$logged_info->member_srl && !$manual_inserted)
|
||||
{
|
||||
unset($obj->member_srl);
|
||||
unset($obj->user_id);
|
||||
}
|
||||
|
||||
$obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl);
|
||||
|
||||
// call a trigger (before)
|
||||
|
|
@ -594,7 +616,6 @@ class CommentController extends Comment
|
|||
if(!$manual_inserted)
|
||||
{
|
||||
$oDocument = DocumentModel::getDocument($document_srl);
|
||||
|
||||
if($document_srl != $oDocument->document_srl)
|
||||
{
|
||||
return new BaseObject(-1, 'msg_invalid_document');
|
||||
|
|
@ -603,29 +624,6 @@ class CommentController extends Comment
|
|||
{
|
||||
return new BaseObject(-1, 'msg_invalid_request');
|
||||
}
|
||||
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = escape($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
// input the member's information if logged-in
|
||||
$logged_info = Context::get('logged_info');
|
||||
if(Context::get('is_logged') && !$obj->manual_member_info)
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl;
|
||||
|
||||
// user_id, user_name and nick_name already encoded
|
||||
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
|
||||
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
|
||||
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
|
||||
$obj->email_address = $logged_info->email_address;
|
||||
$obj->homepage = $logged_info->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
// error display if neither of log-in info and user name exist.
|
||||
|
|
@ -634,6 +632,16 @@ class CommentController extends Comment
|
|||
return new BaseObject(-1, 'msg_invalid_request');
|
||||
}
|
||||
|
||||
// Clean up the homepage link, if any
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = escape($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
if(!$obj->comment_srl)
|
||||
{
|
||||
$obj->comment_srl = getNextSequence();
|
||||
|
|
@ -661,11 +669,6 @@ class CommentController extends Comment
|
|||
$obj->content = getModel('editor')->converter($obj, 'comment');
|
||||
}
|
||||
|
||||
if(!$obj->regdate)
|
||||
{
|
||||
$obj->regdate = date("YmdHis");
|
||||
}
|
||||
|
||||
// remove iframe and script if not a top administrator on the session.
|
||||
if($logged_info->is_admin != 'Y')
|
||||
{
|
||||
|
|
@ -673,12 +676,12 @@ class CommentController extends Comment
|
|||
}
|
||||
$obj->content = utf8_mbencode($obj->content);
|
||||
|
||||
if(!$obj->notify_message)
|
||||
if (isset($obj->notify_message) && $obj->notify_message !== 'Y')
|
||||
{
|
||||
$obj->notify_message = 'N';
|
||||
}
|
||||
|
||||
if(!$obj->is_secret)
|
||||
if (isset($obj->is_secret) && $obj->is_secret !== 'Y')
|
||||
{
|
||||
$obj->is_secret = 'N';
|
||||
}
|
||||
|
|
@ -935,15 +938,29 @@ class CommentController extends Comment
|
|||
|
||||
$obj->__isupdate = TRUE;
|
||||
|
||||
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
|
||||
unset($obj->manual_member_info);
|
||||
|
||||
// Sanitize variables
|
||||
$obj->comment_srl = intval($obj->comment_srl);
|
||||
$obj->module_srl = intval($obj->module_srl);
|
||||
$obj->document_srl = intval($obj->document_srl);
|
||||
$obj->parent_srl = intval($obj->parent_srl);
|
||||
|
||||
// Preserve original author info.
|
||||
$source_obj = CommentModel::getComment($obj->comment_srl);
|
||||
if ($source_obj->get('member_srl'))
|
||||
{
|
||||
$obj->member_srl = $source_obj->get('member_srl');
|
||||
$obj->user_id = $source_obj->get('user_id');
|
||||
$obj->user_name = $source_obj->get('user_name');
|
||||
$obj->nick_name = $source_obj->get('nick_name');
|
||||
$obj->email_address = $source_obj->get('email_address');
|
||||
$obj->homepage = $source_obj->get('homepage');
|
||||
}
|
||||
else
|
||||
{
|
||||
unset($obj->member_srl);
|
||||
unset($obj->user_id);
|
||||
}
|
||||
|
||||
$obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl);
|
||||
|
||||
// call a trigger (before)
|
||||
|
|
@ -953,17 +970,6 @@ class CommentController extends Comment
|
|||
return $output;
|
||||
}
|
||||
|
||||
// get the original data
|
||||
$source_obj = CommentModel::getComment($obj->comment_srl);
|
||||
if(!$source_obj->getMemberSrl())
|
||||
{
|
||||
$obj->member_srl = $source_obj->get('member_srl');
|
||||
$obj->user_name = $source_obj->get('user_name');
|
||||
$obj->nick_name = $source_obj->get('nick_name');
|
||||
$obj->email_address = $source_obj->get('email_address');
|
||||
$obj->homepage = $source_obj->get('homepage');
|
||||
}
|
||||
|
||||
// check if permission is granted
|
||||
if(!$is_admin && !$source_obj->isGranted())
|
||||
{
|
||||
|
|
@ -984,30 +990,6 @@ class CommentController extends Comment
|
|||
}
|
||||
}
|
||||
|
||||
// set modifier's information if logged-in and posting author and modifier are matched.
|
||||
$logged_info = Context::get('logged_info');
|
||||
if(Context::get('is_logged') && !$obj->manual_member_info)
|
||||
{
|
||||
if($source_obj->member_srl == $logged_info->member_srl)
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl;
|
||||
$obj->user_name = $logged_info->user_name;
|
||||
$obj->nick_name = $logged_info->nick_name;
|
||||
$obj->email_address = $logged_info->email_address;
|
||||
$obj->homepage = $logged_info->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
// if nick_name of the logged-in author doesn't exist
|
||||
if($source_obj->get('member_srl') && !$obj->nick_name && !$obj->manual_member_info)
|
||||
{
|
||||
$obj->member_srl = $source_obj->get('member_srl');
|
||||
$obj->user_name = $source_obj->get('user_name');
|
||||
$obj->nick_name = $source_obj->get('nick_name');
|
||||
$obj->email_address = $source_obj->get('email_address');
|
||||
$obj->homepage = $source_obj->get('homepage');
|
||||
}
|
||||
|
||||
if(!$obj->content)
|
||||
{
|
||||
$obj->content = $source_obj->get('content');
|
||||
|
|
@ -1028,6 +1010,7 @@ class CommentController extends Comment
|
|||
}
|
||||
|
||||
// remove iframe and script if not a top administrator on the session
|
||||
$logged_info = Context::get('logged_info');
|
||||
if($logged_info->is_admin != 'Y')
|
||||
{
|
||||
$obj->content = removeHackTag($obj->content);
|
||||
|
|
|
|||
|
|
@ -646,6 +646,8 @@ class DocumentController extends Document
|
|||
if(!$grant->manager)
|
||||
{
|
||||
unset($obj->regdate);
|
||||
unset($obj->last_update);
|
||||
unset($obj->last_updater);
|
||||
}
|
||||
|
||||
// Serialize the $extra_vars, check the extra_vars type, because duplicate serialized avoid
|
||||
|
|
@ -664,8 +666,22 @@ class DocumentController extends Document
|
|||
unset($obj->_saved_doc_content);
|
||||
unset($obj->_saved_doc_message);
|
||||
|
||||
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
|
||||
unset($obj->manual_member_info);
|
||||
// Add the current user's info, unless it is a guest post
|
||||
$logged_info = Context::get('logged_info');
|
||||
if($logged_info->member_srl && !$manual_inserted && !$isRestore)
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl;
|
||||
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
|
||||
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
|
||||
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
|
||||
$obj->email_address = $logged_info->email_address;
|
||||
$obj->homepage = $logged_info->homepage;
|
||||
}
|
||||
if(!$logged_info->member_srl && !$manual_inserted && !$isRestore)
|
||||
{
|
||||
unset($obj->member_srl);
|
||||
unset($obj->user_id);
|
||||
}
|
||||
|
||||
$obj->uploaded_count = FileModel::getFilesCount($obj->document_srl);
|
||||
|
||||
|
|
@ -717,20 +733,6 @@ class DocumentController extends Document
|
|||
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
|
||||
}
|
||||
|
||||
// Insert member's information only if the member is logged-in and not manually registered.
|
||||
$logged_info = Context::get('logged_info');
|
||||
if(Context::get('is_logged') && !$manual_inserted && !$isRestore && !$obj->manual_member_info)
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl;
|
||||
|
||||
// user_id, user_name and nick_name already encoded
|
||||
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
|
||||
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
|
||||
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
|
||||
$obj->email_address = $logged_info->email_address;
|
||||
$obj->homepage = $logged_info->homepage;
|
||||
}
|
||||
|
||||
// If the tile is empty, extract string from the contents.
|
||||
$obj->title = escape($obj->title, false);
|
||||
if($obj->title == '')
|
||||
|
|
@ -900,8 +902,22 @@ class DocumentController extends Document
|
|||
$this->_checkDocumentStatusForOldVersion($obj);
|
||||
}
|
||||
|
||||
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
|
||||
unset($obj->manual_member_info);
|
||||
// Preserve original author info.
|
||||
if ($source_obj->get('member_srl'))
|
||||
{
|
||||
$obj->member_srl = $source_obj->get('member_srl');
|
||||
$obj->user_id = $source_obj->get('user_id');
|
||||
$obj->user_name = $source_obj->get('user_name');
|
||||
$obj->nick_name = $source_obj->get('nick_name');
|
||||
$obj->email_address = $source_obj->get('email_address');
|
||||
$obj->homepage = $source_obj->get('homepage');
|
||||
$obj->ipaddress = $source_obj->get('ipaddress');
|
||||
}
|
||||
else
|
||||
{
|
||||
unset($obj->member_srl);
|
||||
unset($obj->user_id);
|
||||
}
|
||||
|
||||
$obj->uploaded_count = FileModel::getFilesCount($obj->document_srl);
|
||||
|
||||
|
|
@ -947,6 +963,8 @@ class DocumentController extends Document
|
|||
if(!$grant->manager)
|
||||
{
|
||||
unset($obj->regdate);
|
||||
unset($obj->last_update);
|
||||
unset($obj->list_order);
|
||||
}
|
||||
|
||||
// Serialize the $extra_vars
|
||||
|
|
@ -990,29 +1008,6 @@ class DocumentController extends Document
|
|||
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
|
||||
}
|
||||
|
||||
// If an author is identical to the modifier or history is used, use the logged-in user's information.
|
||||
if(Context::get('is_logged') && !$manual_updated && !$obj->manual_member_info)
|
||||
{
|
||||
if($source_obj->get('member_srl')==$logged_info->member_srl)
|
||||
{
|
||||
$obj->member_srl = $logged_info->member_srl;
|
||||
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
|
||||
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
|
||||
$obj->email_address = $logged_info->email_address;
|
||||
$obj->homepage = $logged_info->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
// For the document written by logged-in user however no nick_name exists
|
||||
if($source_obj->get('member_srl')&& !$obj->nick_name && !$obj->manual_member_info)
|
||||
{
|
||||
$obj->member_srl = $source_obj->get('member_srl');
|
||||
$obj->user_name = $source_obj->get('user_name');
|
||||
$obj->nick_name = $source_obj->get('nick_name');
|
||||
$obj->email_address = $source_obj->get('email_address');
|
||||
$obj->homepage = $source_obj->get('homepage');
|
||||
}
|
||||
|
||||
// If the tile is empty, extract string from the contents.
|
||||
$obj->title = escape($obj->title, false);
|
||||
if($obj->title == '')
|
||||
|
|
@ -1068,10 +1063,6 @@ class DocumentController extends Document
|
|||
$args->ipaddress = $source_obj->get('ipaddress');
|
||||
$output = executeQuery("document.insertHistory", $args);
|
||||
}
|
||||
else
|
||||
{
|
||||
$obj->ipaddress = $source_obj->get('ipaddress');
|
||||
}
|
||||
|
||||
// Set lang_code if the original document doesn't have it.
|
||||
if (!$source_obj->get('lang_code'))
|
||||
|
|
@ -3405,6 +3396,8 @@ Content;
|
|||
$obj = Context::getRequestVars();
|
||||
$obj->module_srl = $this->module_srl;
|
||||
$obj->status = $this->getConfigStatus('temp');
|
||||
$obj->list_order = $obj->update_order = 0;
|
||||
unset($obj->extra_vars);
|
||||
|
||||
// unset document style if not manager
|
||||
if(!$this->grant->manager)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue