fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix #2035 XEVE-17-002 쉬운 설치 페이지에서 발생하는 보안 취약점 고침

Browse source 
- 제보자 : 최봉환(stayp05)
This commit is contained in:
bnu 2017-02-21 17:01:07 +09:00 committed by Kijin Sung
parent fbe47e0610
commit 954d2c7ec6
2 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/autoinstall/autoinstall.admin.view.php
View file

@ -488,7 +488,7 @@ class autoinstallAdminView extends autoinstall
$security = new Security();
$security->encodeHTML('package.', 'package.depends..', 'item_list..');
$security->encodeHTML('search_target', 'search_keyword');
$security->encodeHTML('search_target', 'search_keyword', 'order_target', 'order_type');
}
/**

17
modules/autoinstall/tpl/list.html
View file

@ -132,12 +132,12 @@
</tbody>
</table>
<div class="x_clearfix" style="margin-top:-10px">
{@
$urlInfo = parse_url(getRequestUriByServerEnviroment());
parse_str($urlInfo['query'], $param);
}
<form cond="$page_navigation" action="./" class="x_pagination x_pull-left" no-error-return-url="true">
<input loop="$param => $key, $val" cond="!in_array($key, array('mid', 'vid', 'act'))" type="hidden" name="{$key}" value="{$val}" />
<input type="hidden" name="module" value="admin" />
<input type="hidden" name="act" value="{$act}" />
<input type="hidden" name="order_target" value="{$order_target}" />
<input type="hidden" name="order_type" value="{$order_type}" />
<input type="hidden" name="search_keyword" value="{$search_keyword}" />
<ul>
<li class="x_disabled"|cond="!$page || $page == 1"><a href="{getUrl('page', '')}">&laquo; {$lang->first_page}</a></li>
<block cond="$page_navigation->first_page != 1 && $page_navigation->first_page + $page_navigation->page_count > $page_navigation->last_page - 1 && $page_navigation->page_count != $page_navigation->total_page">
@ -168,8 +168,11 @@
</ul>
</form>
<form action="./" class="search x_input-append x_pull-right" no-error-return-url="true" cond="$act!=dispAutoinstallAdminInstalledPackages">
<input loop="$param => $key, $val" cond="!in_array($key, array('mid', 'vid', 'act', 'page'))" type="hidden" name="{$key}" value="{$val}" />
<input type="search" name="search_keyword" required title="Search" value="{htmlspecialchars($search_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}">
<input type="hidden" name="module" value="admin" />
<input type="hidden" name="act" value="{$act}" />
<input type="hidden" name="order_target" value="{$order_target}" />
<input type="hidden" name="order_type" value="{$order_type}" />
<input type="search" name="search_keyword" required title="Search" value="{$search_keyword}" />
<button class="x_btn x_btn-inverse" type="submit">{$lang->cmd_search}</button>
<a href="{getUrl('page', '', 'search_keyword', '')}" class="x_btn">{$lang->cmd_cancel}</a>
</form>