fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-07 10:41:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'security/rve-2023-3-4' into develop

Browse source
This commit is contained in:
Kijin Sung 2023-09-13 11:02:59 +09:00
commit 71e4118bd5
3 changed files with 99 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

19
modules/board/board.controller.php
View file

@ -31,6 +31,7 @@ class BoardController extends Board
$obj = Context::getRequestVars(); $obj = Context::getRequestVars();
$obj->module_srl = $this->module_srl; $obj->module_srl = $this->module_srl;
$obj->commentStatus = $obj->comment_status; $obj->commentStatus = $obj->comment_status;
unset($obj->extra_vars);
// Remove disallowed Unicode symbols. // Remove disallowed Unicode symbols.
if ($this->module_info->filter_specialchars !== 'N') if ($this->module_info->filter_specialchars !== 'N')
@ -145,6 +146,11 @@ class BoardController extends Board
$obj->notify_message = 'N'; $obj->notify_message = 'N';
$obj->email_address = $obj->homepage = $obj->user_id = ''; $obj->email_address = $obj->homepage = $obj->user_id = '';
$obj->user_name = $obj->nick_name = $anonymous_name; $obj->user_name = $obj->nick_name = $anonymous_name;
$obj->member_srl = $logged_info->member_srl * -1;
if ($oDocument->isExists())
{
$oDocument->add('member_srl', $obj->member_srl);
}
} }
// Update if the document already exists. // Update if the document already exists.
@ -168,13 +174,6 @@ class BoardController extends Board
// if document status is temp // if document status is temp
if($oDocument->get('status') == DocumentModel::getConfigStatus('temp')) if($oDocument->get('status') == DocumentModel::getConfigStatus('temp'))
{ {
// if use anonymous, set the member_srl to a negative number
if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y'))
{
$obj->member_srl = abs($oDocument->get('member_srl')) * -1;
$oDocument->add('member_srl', $obj->member_srl);
}
// Update list order, date // Update list order, date
$obj->last_update = $obj->regdate = date('YmdHis'); $obj->last_update = $obj->regdate = date('YmdHis');
$obj->update_order = $obj->list_order = (getNextSequence() * -1); $obj->update_order = $obj->list_order = (getNextSequence() * -1);
@ -229,12 +228,6 @@ class BoardController extends Board
// Insert a new document. // Insert a new document.
else else
{ {
// if use anonymous, set the member_srl to a negative number
if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y'))
{
$obj->member_srl = $logged_info->member_srl * -1;
}
// Update list order if document_srl is already assigned // Update list order if document_srl is already assigned
if ($obj->document_srl) if ($obj->document_srl)
{ {

127
modules/comment/comment.controller.php
View file

@ -559,15 +559,37 @@ class CommentController extends Comment
} }
$obj->__isupdate = FALSE; $obj->__isupdate = FALSE;
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
unset($obj->manual_member_info);
// Sanitize variables // Sanitize variables
$obj->comment_srl = intval($obj->comment_srl); $obj->comment_srl = intval($obj->comment_srl);
$obj->module_srl = intval($obj->module_srl); $obj->module_srl = intval($obj->module_srl);
$obj->document_srl = intval($obj->document_srl); $obj->document_srl = intval($obj->document_srl);
$obj->parent_srl = intval($obj->parent_srl); $obj->parent_srl = intval($obj->parent_srl);
// Only managers can customize dates.
$grant = Context::get('grant');
if(!$grant->manager)
{
unset($obj->regdate);
unset($obj->last_update);
}
// Add the current user's info, unless it is a guest post.
$logged_info = Context::get('logged_info');
if($logged_info->member_srl && !$manual_inserted)
{
$obj->member_srl = $logged_info->member_srl;
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
if(!$logged_info->member_srl && !$manual_inserted)
{
unset($obj->member_srl);
unset($obj->user_id);
}
$obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl); $obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl);
// call a trigger (before) // call a trigger (before)
@ -594,7 +616,6 @@ class CommentController extends Comment
if(!$manual_inserted) if(!$manual_inserted)
{ {
$oDocument = DocumentModel::getDocument($document_srl); $oDocument = DocumentModel::getDocument($document_srl);
if($document_srl != $oDocument->document_srl) if($document_srl != $oDocument->document_srl)
{ {
return new BaseObject(-1, 'msg_invalid_document'); return new BaseObject(-1, 'msg_invalid_document');
@ -603,29 +624,6 @@ class CommentController extends Comment
{ {
return new BaseObject(-1, 'msg_invalid_request'); return new BaseObject(-1, 'msg_invalid_request');
} }
if($obj->homepage)
{
$obj->homepage = escape($obj->homepage);
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
{
$obj->homepage = 'http://'.$obj->homepage;
}
}
// input the member's information if logged-in
$logged_info = Context::get('logged_info');
if(Context::get('is_logged') && !$obj->manual_member_info)
{
$obj->member_srl = $logged_info->member_srl;
// user_id, user_name and nick_name already encoded
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
} }
// error display if neither of log-in info and user name exist. // error display if neither of log-in info and user name exist.
@ -634,6 +632,16 @@ class CommentController extends Comment
return new BaseObject(-1, 'msg_invalid_request'); return new BaseObject(-1, 'msg_invalid_request');
} }
// Clean up the homepage link, if any
if($obj->homepage)
{
$obj->homepage = escape($obj->homepage);
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
{
$obj->homepage = 'http://'.$obj->homepage;
}
}
if(!$obj->comment_srl) if(!$obj->comment_srl)
{ {
$obj->comment_srl = getNextSequence(); $obj->comment_srl = getNextSequence();
@ -661,11 +669,6 @@ class CommentController extends Comment
$obj->content = getModel('editor')->converter($obj, 'comment'); $obj->content = getModel('editor')->converter($obj, 'comment');
} }
if(!$obj->regdate)
{
$obj->regdate = date("YmdHis");
}
// remove iframe and script if not a top administrator on the session. // remove iframe and script if not a top administrator on the session.
if($logged_info->is_admin != 'Y') if($logged_info->is_admin != 'Y')
{ {
@ -673,12 +676,12 @@ class CommentController extends Comment
} }
$obj->content = utf8_mbencode($obj->content); $obj->content = utf8_mbencode($obj->content);
if(!$obj->notify_message) if (isset($obj->notify_message) && $obj->notify_message !== 'Y')
{ {
$obj->notify_message = 'N'; $obj->notify_message = 'N';
} }
if(!$obj->is_secret) if (isset($obj->is_secret) && $obj->is_secret !== 'Y')
{ {
$obj->is_secret = 'N'; $obj->is_secret = 'N';
} }
@ -935,15 +938,29 @@ class CommentController extends Comment
$obj->__isupdate = TRUE; $obj->__isupdate = TRUE;
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
unset($obj->manual_member_info);
// Sanitize variables // Sanitize variables
$obj->comment_srl = intval($obj->comment_srl); $obj->comment_srl = intval($obj->comment_srl);
$obj->module_srl = intval($obj->module_srl); $obj->module_srl = intval($obj->module_srl);
$obj->document_srl = intval($obj->document_srl); $obj->document_srl = intval($obj->document_srl);
$obj->parent_srl = intval($obj->parent_srl); $obj->parent_srl = intval($obj->parent_srl);
// Preserve original author info.
$source_obj = CommentModel::getComment($obj->comment_srl);
if ($source_obj->get('member_srl'))
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_id = $source_obj->get('user_id');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
}
else
{
unset($obj->member_srl);
unset($obj->user_id);
}
$obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl); $obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl);
// call a trigger (before) // call a trigger (before)
@ -953,17 +970,6 @@ class CommentController extends Comment
return $output; return $output;
} }
// get the original data
$source_obj = CommentModel::getComment($obj->comment_srl);
if(!$source_obj->getMemberSrl())
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
}
// check if permission is granted // check if permission is granted
if(!$is_admin && !$source_obj->isGranted()) if(!$is_admin && !$source_obj->isGranted())
{ {
@ -984,30 +990,6 @@ class CommentController extends Comment
} }
} }
// set modifier's information if logged-in and posting author and modifier are matched.
$logged_info = Context::get('logged_info');
if(Context::get('is_logged') && !$obj->manual_member_info)
{
if($source_obj->member_srl == $logged_info->member_srl)
{
$obj->member_srl = $logged_info->member_srl;
$obj->user_name = $logged_info->user_name;
$obj->nick_name = $logged_info->nick_name;
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
}
// if nick_name of the logged-in author doesn't exist
if($source_obj->get('member_srl') && !$obj->nick_name && !$obj->manual_member_info)
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
}
if(!$obj->content) if(!$obj->content)
{ {
$obj->content = $source_obj->get('content'); $obj->content = $source_obj->get('content');
@ -1028,6 +1010,7 @@ class CommentController extends Comment
} }
// remove iframe and script if not a top administrator on the session // remove iframe and script if not a top administrator on the session
$logged_info = Context::get('logged_info');
if($logged_info->is_admin != 'Y') if($logged_info->is_admin != 'Y')
{ {
$obj->content = removeHackTag($obj->content); $obj->content = removeHackTag($obj->content);

83
modules/document/document.controller.php
View file

@ -646,6 +646,8 @@ class DocumentController extends Document
if(!$grant->manager) if(!$grant->manager)
{ {
unset($obj->regdate); unset($obj->regdate);
unset($obj->last_update);
unset($obj->last_updater);
} }
// Serialize the $extra_vars, check the extra_vars type, because duplicate serialized avoid // Serialize the $extra_vars, check the extra_vars type, because duplicate serialized avoid
@ -664,8 +666,22 @@ class DocumentController extends Document
unset($obj->_saved_doc_content); unset($obj->_saved_doc_content);
unset($obj->_saved_doc_message); unset($obj->_saved_doc_message);
// Remove manual member info to prevent forgery. This variable can be set by triggers only. // Add the current user's info, unless it is a guest post
unset($obj->manual_member_info); $logged_info = Context::get('logged_info');
if($logged_info->member_srl && !$manual_inserted && !$isRestore)
{
$obj->member_srl = $logged_info->member_srl;
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
if(!$logged_info->member_srl && !$manual_inserted && !$isRestore)
{
unset($obj->member_srl);
unset($obj->user_id);
}
$obj->uploaded_count = FileModel::getFilesCount($obj->document_srl); $obj->uploaded_count = FileModel::getFilesCount($obj->document_srl);
@ -717,20 +733,6 @@ class DocumentController extends Document
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm()); $obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
} }
// Insert member's information only if the member is logged-in and not manually registered.
$logged_info = Context::get('logged_info');
if(Context::get('is_logged') && !$manual_inserted && !$isRestore && !$obj->manual_member_info)
{
$obj->member_srl = $logged_info->member_srl;
// user_id, user_name and nick_name already encoded
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
// If the tile is empty, extract string from the contents. // If the tile is empty, extract string from the contents.
$obj->title = escape($obj->title, false); $obj->title = escape($obj->title, false);
if($obj->title == '') if($obj->title == '')
@ -900,8 +902,22 @@ class DocumentController extends Document
$this->_checkDocumentStatusForOldVersion($obj); $this->_checkDocumentStatusForOldVersion($obj);
} }
// Remove manual member info to prevent forgery. This variable can be set by triggers only. // Preserve original author info.
unset($obj->manual_member_info); if ($source_obj->get('member_srl'))
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_id = $source_obj->get('user_id');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
$obj->ipaddress = $source_obj->get('ipaddress');
}
else
{
unset($obj->member_srl);
unset($obj->user_id);
}
$obj->uploaded_count = FileModel::getFilesCount($obj->document_srl); $obj->uploaded_count = FileModel::getFilesCount($obj->document_srl);
@ -947,6 +963,8 @@ class DocumentController extends Document
if(!$grant->manager) if(!$grant->manager)
{ {
unset($obj->regdate); unset($obj->regdate);
unset($obj->last_update);
unset($obj->list_order);
} }
// Serialize the $extra_vars // Serialize the $extra_vars
@ -990,29 +1008,6 @@ class DocumentController extends Document
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm()); $obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
} }
// If an author is identical to the modifier or history is used, use the logged-in user's information.
if(Context::get('is_logged') && !$manual_updated && !$obj->manual_member_info)
{
if($source_obj->get('member_srl')==$logged_info->member_srl)
{
$obj->member_srl = $logged_info->member_srl;
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
}
// For the document written by logged-in user however no nick_name exists
if($source_obj->get('member_srl')&& !$obj->nick_name && !$obj->manual_member_info)
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
}
// If the tile is empty, extract string from the contents. // If the tile is empty, extract string from the contents.
$obj->title = escape($obj->title, false); $obj->title = escape($obj->title, false);
if($obj->title == '') if($obj->title == '')
@ -1068,10 +1063,6 @@ class DocumentController extends Document
$args->ipaddress = $source_obj->get('ipaddress'); $args->ipaddress = $source_obj->get('ipaddress');
$output = executeQuery("document.insertHistory", $args); $output = executeQuery("document.insertHistory", $args);
} }
else
{
$obj->ipaddress = $source_obj->get('ipaddress');
}
// Set lang_code if the original document doesn't have it. // Set lang_code if the original document doesn't have it.
if (!$source_obj->get('lang_code')) if (!$source_obj->get('lang_code'))
@ -3405,6 +3396,8 @@ Content;
$obj = Context::getRequestVars(); $obj = Context::getRequestVars();
$obj->module_srl = $this->module_srl; $obj->module_srl = $this->module_srl;
$obj->status = $this->getConfigStatus('temp'); $obj->status = $this->getConfigStatus('temp');
$obj->list_order = $obj->update_order = 0;
unset($obj->extra_vars);
// unset document style if not manager // unset document style if not manager
if(!$this->grant->manager) if(!$this->grant->manager)