From a519db608dfa8d5b1f6825206836820e64de20ec Mon Sep 17 00:00:00 2001 From: conory Date: Wed, 20 Jan 2016 18:47:40 +0900 Subject: [PATCH 1/2] =?UTF-8?q?POST=20=EC=9A=94=EC=B2=AD=EC=8B=9C=20CSRF?= =?UTF-8?q?=20=EC=B2=B4=ED=81=AC=EB=A5=BC=20=ED=95=98=EC=A7=80=EC=95=8A?= =?UTF-8?q?=EB=8F=84=EB=A1=9D=20=20module.xml=EC=97=90=20check=5Fcsrf=20?= =?UTF-8?q?=EC=86=8D=EC=84=B1=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- classes/module/ModuleHandler.class.php | 46 ++++++++++++++++++-------- modules/file/conf/module.xml | 2 +- modules/module/module.model.php | 3 ++ 3 files changed, 37 insertions(+), 14 deletions(-) diff --git a/classes/module/ModuleHandler.class.php b/classes/module/ModuleHandler.class.php index d0db90beb..f518f9bb0 100644 --- a/classes/module/ModuleHandler.class.php +++ b/classes/module/ModuleHandler.class.php @@ -402,24 +402,29 @@ class ModuleHandler extends Handler return $oMessageObject; } } - + + // check CSRF for POST actions + if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && !checkCSRF()) + { + if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false') + { + $this->_setInputErrorToContext(); + $this->error = 'msg_invalid_request'; + $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); + $oMessageObject->setError(-1); + $oMessageObject->setMessage($this->error); + $oMessageObject->dispMessage(); + return $oMessageObject; + } + } + if($this->module_info->use_mobile != "Y") { Mobile::setMobile(FALSE); } $logged_info = Context::get('logged_info'); - - // check CSRF for POST actions - if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && $this->act !== 'procFileUpload' && !checkCSRF()) { - $this->error = 'msg_invalid_request'; - $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); - $oMessageObject->setError(-1); - $oMessageObject->setMessage($this->error); - $oMessageObject->dispMessage(); - return $oMessageObject; - } - + // Admin ip if($kind == 'admin' && $_SESSION['denied_admin'] == 'Y') { @@ -552,7 +557,22 @@ class ModuleHandler extends Handler return $oMessageObject; } } - + + // check CSRF for POST actions + if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && !checkCSRF()) + { + if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false') + { + $this->_setInputErrorToContext(); + $this->error = 'msg_invalid_request'; + $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); + $oMessageObject->setError(-1); + $oMessageObject->setMessage($this->error); + $oMessageObject->dispMessage(); + return $oMessageObject; + } + } + if($type == "view" && Mobile::isFromMobilePhone()) { $orig_type = "view"; diff --git a/modules/file/conf/module.xml b/modules/file/conf/module.xml index 7f5425f6e..cb0aba1ae 100644 --- a/modules/file/conf/module.xml +++ b/modules/file/conf/module.xml @@ -8,7 +8,7 @@ - + diff --git a/modules/module/module.model.php b/modules/module/module.model.php index 9f74c0397..b4ea17e03 100644 --- a/modules/module/module.model.php +++ b/modules/module/module.model.php @@ -934,6 +934,7 @@ class moduleModel extends module $standalone = $action->attrs->standalone=='false'?'false':'true'; $ruleset = $action->attrs->ruleset?$action->attrs->ruleset:''; $method = $action->attrs->method?$action->attrs->method:''; + $check_csrf = $action->attrs->check_csrf=='false'?'false':'true'; $index = $action->attrs->index; $admin_index = $action->attrs->admin_index; @@ -947,6 +948,7 @@ class moduleModel extends module $info->action->{$name}->standalone = $standalone; $info->action->{$name}->ruleset = $ruleset; $info->action->{$name}->method = $method; + $info->action->{$name}->check_csrf = $check_csrf; if($action->attrs->menu_name) { if($menu_index == 'true') @@ -970,6 +972,7 @@ class moduleModel extends module $buff[] = sprintf('$info->action->%s->standalone=\'%s\';', $name, $standalone); $buff[] = sprintf('$info->action->%s->ruleset=\'%s\';', $name, $ruleset); $buff[] = sprintf('$info->action->%s->method=\'%s\';', $name, $method); + $buff[] = sprintf('$info->action->%s->check_csrf=\'%s\';', $name, $check_csrf); if($index=='true') { From d3a96cb8e1e41f10c11088694c52ec386e6dc86e Mon Sep 17 00:00:00 2001 From: conory Date: Wed, 20 Jan 2016 19:46:16 +0900 Subject: [PATCH 2/2] =?UTF-8?q?checkCSRF=20=EC=A1=B0=EA=B1=B4=EB=B3=80?= =?UTF-8?q?=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- classes/module/ModuleHandler.class.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/classes/module/ModuleHandler.class.php b/classes/module/ModuleHandler.class.php index f518f9bb0..200135280 100644 --- a/classes/module/ModuleHandler.class.php +++ b/classes/module/ModuleHandler.class.php @@ -404,9 +404,9 @@ class ModuleHandler extends Handler } // check CSRF for POST actions - if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && !checkCSRF()) + if(Context::getRequestMethod() === 'POST' && Context::isInstalled()) { - if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false') + if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false' && !checkCSRF()) { $this->_setInputErrorToContext(); $this->error = 'msg_invalid_request'; @@ -559,9 +559,9 @@ class ModuleHandler extends Handler } // check CSRF for POST actions - if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && !checkCSRF()) + if(Context::getRequestMethod() === 'POST' && Context::isInstalled()) { - if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false') + if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false' && !checkCSRF()) { $this->_setInputErrorToContext(); $this->error = 'msg_invalid_request';