fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

POST 요청시 CSRF 체크를 하지않도록 module.xml에 check_csrf 속성 추가

Browse source
This commit is contained in:
conory 2016-01-20 18:47:40 +09:00
parent c74a88201a
commit a519db608d
3 changed files with 37 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

46
classes/module/ModuleHandler.class.php
View file

@ -402,24 +402,29 @@ class ModuleHandler extends Handler
return $oMessageObject;
}
}
// check CSRF for POST actions
if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && !checkCSRF())
{
if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false')
{
$this->_setInputErrorToContext();
$this->error = 'msg_invalid_request';
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage();
return $oMessageObject;
}
}
if($this->module_info->use_mobile != "Y")
{
Mobile::setMobile(FALSE);
}
$logged_info = Context::get('logged_info');
// check CSRF for POST actions
if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && $this->act !== 'procFileUpload' && !checkCSRF()) {
$this->error = 'msg_invalid_request';
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage();
return $oMessageObject;
}
// Admin ip
if($kind == 'admin' && $_SESSION['denied_admin'] == 'Y')
{
@ -552,7 +557,22 @@ class ModuleHandler extends Handler
return $oMessageObject;
}
}
// check CSRF for POST actions
if(Context::getRequestMethod() === 'POST' && Context::isInstalled() && !checkCSRF())
{
if($xml_info->action->{$this->act} && $xml_info->action->{$this->act}->check_csrf !== 'false')
{
$this->_setInputErrorToContext();
$this->error = 'msg_invalid_request';
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage();
return $oMessageObject;
}
}
if($type == "view" && Mobile::isFromMobilePhone())
{
$orig_type = "view";