fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 17:21:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Move some security measures from ModuleHandler to Context

Browse source
This commit is contained in:
Kijin Sung 2020-06-17 22:31:22 +09:00
parent b5740052fc
commit 85c2f87f13
2 changed files with 9 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

10
classes/context/Context.class.php
View file

@ -1439,7 +1439,15 @@ class Context
{
$_val = (int)$_val;
}
elseif(in_array($key, array('mid', 'vid', 'search_target', 'search_keyword', 'xe_validator_id')) || $_SERVER['REQUEST_METHOD'] === 'GET')
elseif(in_array($key, array('mid', 'vid', 'act', 'module')))
{
$_val = preg_match('/^[a-zA-Z0-9_-]+$/', $_val) ? $_val : null;
if($_val === null)
{
self::$_instance->security_check = 'DENY ALL';
}
}
elseif(in_array($key, array('search_target', 'search_keyword', 'xe_validator_id')) || $_SERVER['REQUEST_METHOD'] === 'GET')
{
$_val = escape($_val, false);
if(ends_with('url', $key, false))

20
classes/module/ModuleHandler.class.php
View file

@ -94,26 +94,6 @@ class ModuleHandler extends Handler
Context::set('mid', $this->mid = null);
}
// Validate variables to prevent XSS
$isInvalid = false;
if($this->module && !preg_match('/^[a-zA-Z0-9_-]+$/', $this->module))
{
$isInvalid = true;
}
if($this->mid && !preg_match('/^[a-zA-Z0-9_-]+$/', $this->mid))
{
$isInvalid = true;
}
if($this->act && !preg_match('/^[a-zA-Z0-9_-]+$/', $this->act))
{
$isInvalid = true;
}
if($isInvalid)
{
$this->error = 'msg_security_violation';
return;
}
// call a trigger before moduleHandler init
self::triggerCall('moduleHandler.init', 'before', $this);