Consistently use new domain system for URL::isInternalUrl() and checkCSRF()

2026-01-05 09:41:40 +09:00 · 2017-03-04 22:09:45 +09:00 · 2017-03-04 22:09:45 +09:00 · af7309b807
commit af7309b807
parent f1608ad3a9
3 changed files with 6 additions and 23 deletions
--- a/common/framework/security.php
+++ b/common/framework/security.php
@ -310,10 +310,10 @@ class Security
 		if (!$referer)
 		{
 			$referer = strval($_SERVER['HTTP_REFERER']);
-			if ($referer === '')
-			{
-				return true;
-			}
+		}
+		if (strval($referer) === '')
+		{
+			return true;
 		}
 		
 		return URL::isInternalURL($referer);
--- a/common/legacy.php
+++ b/common/legacy.php
@ -1051,24 +1051,7 @@ function requirePear()
 */
 function checkCSRF()
 {
-	// Use Rhymix Security class first.
-	if (Rhymix\Framework\Security::checkCSRF())
-	{
-		return true;
-	}
-	
-	// Check if we have a virtual site with a matching domain.
-	$oModuleModel = getModel('module');
-	$siteModuleInfo = $oModuleModel->getDefaultMid();
-	$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl);
-	if (strcasecmp($virtualSiteInfo->domain, Context::get('vid')) && stristr($virtualSiteInfo->domain, $referer_host))
-	{
-		return true;
-	}
-	else
-	{
-		return false;
-	}
+	return Rhymix\Framework\Security::checkCSRF();
 }

 /**
--- a/modules/module/module.model.php
+++ b/modules/module/module.model.php
@ -97,7 +97,7 @@ class moduleModel extends module
 			$domain = Rhymix\Framework\URL::getDomainFromURL($domain);
 			if ($domain === false)
 			{
-				return null;
+				return false;
 			}
 		}
 		if (strpos($domain, 'xn--') !== false)