fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Throw SecurityViolation if anyone tries to exploit RVE-2022-2 with GET/POST vars

Browse source
This commit is contained in:
Kijin Sung 2022-03-15 01:36:13 +09:00
parent 1ab9a2899b
commit 9170d9444c
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/page/page.view.php
View file

@ -54,6 +54,15 @@ class pageView extends page
{
// Variables used in the template Context:: set()
if($this->module_srl) Context::set('module_srl',$this->module_srl);
// Kick out anyone who tries to exploit RVE-2022-2.
foreach (Context::getRequestVars() as $key => $val)
{
if (preg_match('/[\{\}\(\)<>\$\'"]/', $key) || preg_match('/[\{\}\(\)<>\$\'"]/', $val))
{
throw new Rhymix\Framework\Exceptions\SecurityViolation();
}
}
$page_type_name = strtolower($this->module_info->page_type);
$method = '_get' . ucfirst($page_type_name) . 'Content';