Merge pull request #134 from conory/pr/check_csrf_property

특성 act에서는 CSRF 체크를 하지않도록 속성추가

classes/module/ModuleHandler.class.php

@@ -402,24 +402,29 @@ class ModuleHandler extends Handler
 				return $oMessageObject;
 			}
 		}
-
+		
+		// check CSRF for POST actions
+		if(Context::getRequestMethod() === 'POST' && Context::isInstalled())
+		{
+			if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false' && !checkCSRF())
+			{
+				$this->_setInputErrorToContext();
+				$this->error = 'msg_invalid_request';
+				$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
+				$oMessageObject->setError(-1);
+				$oMessageObject->setMessage($this->error);
+				$oMessageObject->dispMessage();
+				return $oMessageObject;
+			}
+		}
+		
 		if($this->module_info->use_mobile != "Y")
 		{
 			Mobile::setMobile(FALSE);
 		}
 
 		$logged_info = Context::get('logged_info');
-
-		// check CSRF for POST actions
-		if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && $this->act !== 'procFileUpload' && !checkCSRF()) {
-			$this->error = 'msg_invalid_request';
-			$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
-			$oMessageObject->setError(-1);
-			$oMessageObject->setMessage($this->error);
-			$oMessageObject->dispMessage();
-			return $oMessageObject;
-		}
-
+		
 		// Admin ip
 		if($kind == 'admin' && $_SESSION['denied_admin'] == 'Y')
 		{
@@ -552,7 +557,22 @@ class ModuleHandler extends Handler
 						return $oMessageObject;
 					}
 				}
-
+				
+				// check CSRF for POST actions
+				if(Context::getRequestMethod() === 'POST' && Context::isInstalled())
+				{
+					if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false' && !checkCSRF())
+					{
+						$this->_setInputErrorToContext();
+						$this->error = 'msg_invalid_request';
+						$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
+						$oMessageObject->setError(-1);
+						$oMessageObject->setMessage($this->error);
+						$oMessageObject->dispMessage();
+						return $oMessageObject;
+					}
+				}
+				
 				if($type == "view" && Mobile::isFromMobilePhone())
 				{
 					$orig_type = "view";

modules/file/conf/module.xml

@@ -8,7 +8,7 @@
         <action name="dispFileAdminList" type="view" admin_index="true" menu_name="file" menu_index="true" />
         <action name="dispFileAdminConfig" type="view" menu_name="fileUpload" menu_index="true" />
         <action name="getFileList" type="model" />
-        <action name="procFileUpload" type="controller" />
+        <action name="procFileUpload" type="controller" check_csrf="false" />
         <action name="procFileIframeUpload" type="controller" />
         <action name="procFileImageResize" type="controller" ruleset="imageResize" />
         <action name="procFileDelete" type="controller" />

modules/module/module.model.php

@@ -934,6 +934,7 @@ class moduleModel extends module
 					$standalone = $action->attrs->standalone=='false'?'false':'true';
 					$ruleset = $action->attrs->ruleset?$action->attrs->ruleset:'';
 					$method = $action->attrs->method?$action->attrs->method:'';
+					$check_csrf = $action->attrs->check_csrf=='false'?'false':'true';
 
 					$index = $action->attrs->index;
 					$admin_index = $action->attrs->admin_index;
@@ -947,6 +948,7 @@ class moduleModel extends module
 					$info->action->{$name}->standalone = $standalone;
 					$info->action->{$name}->ruleset = $ruleset;
 					$info->action->{$name}->method = $method;
+					$info->action->{$name}->check_csrf = $check_csrf;
 					if($action->attrs->menu_name)
 					{
 						if($menu_index == 'true')
@@ -970,6 +972,7 @@ class moduleModel extends module
 					$buff[] = sprintf('$info->action->%s->standalone=\'%s\';', $name, $standalone);
 					$buff[] = sprintf('$info->action->%s->ruleset=\'%s\';', $name, $ruleset);
 					$buff[] = sprintf('$info->action->%s->method=\'%s\';', $name, $method);
+					$buff[] = sprintf('$info->action->%s->check_csrf=\'%s\';', $name, $check_csrf);
 
 					if($index=='true')
 					{