fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

위젯 페이지에서 괄호 등 GET/POST 불가 문제 수정

Browse source 
RVE-2022-2 보안 패치가 외부페이지 뿐만 아니라 위젯 페이지에도 적용되어
위젯으로 구현된 검색, 입력폼 등에서 일반적인 괄호를 못 쓰는 문제를 수정합니다.
This commit is contained in:
dewekk 2022-03-24 18:05:01 +09:00 committed by GitHub
parent 8224eb4027
commit 9c0123ae66
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/page/page.view.php
View file

@ -67,15 +67,6 @@ class pageView extends page
{
Context::set('module_srl', $this->module_srl);
}
// Kick out anyone who tries to exploit RVE-2022-2.
foreach (Context::getRequestVars() as $key => $val)
{
if (preg_match('/[\{\}\(\)<>\$\'"]/', $key) || preg_match('/[\{\}\(\)<>\$\'"]/', $val))
{
throw new Rhymix\Framework\Exceptions\SecurityViolation();
}
}
// Get page content according to page type.
$page_type_name = strtolower($this->module_info->page_type);
@ -167,6 +158,15 @@ class pageView extends page
return;
}
// Kick out anyone who tries to exploit RVE-2022-2.
foreach (Context::getRequestVars() as $key => $val)
{
if (preg_match('/[\{\}\(\)<>\$\'"]/', $key) || preg_match('/[\{\}\(\)<>\$\'"]/', $val))
{
throw new Rhymix\Framework\Exceptions\SecurityViolation();
}
}
// External URL
if (preg_match('!^[a-z]+://!i', $this->path))
{