fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #278 from kijin/pr/fix-csrf-false-positive

Browse source 
#275 기본 URL 변경에 따른 오류 해소
This commit is contained in:
Kijin Sung 2016-02-16 14:34:53 +09:00
commit be83a34b1e
2 changed files with 41 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

64
common/legacy.php
View file

@ -1183,42 +1183,58 @@ function requirePear()
*/ */
function checkCSRF() function checkCSRF()
{ {
if($_SERVER['REQUEST_METHOD'] != 'POST') // If this is not a POST request, FAIL.
if ($_SERVER['REQUEST_METHOD'] != 'POST')
{ {
return FALSE; return false;
} }
// Get the referer. If the referer is empty, PASS.
$referer = strval($_SERVER['HTTP_REFERER']);
if ($referer === '')
{
return true;
}
if (strpos($referer, 'xn--') !== false)
{
$referer = Context::decodeIdna($referer);
}
$referer_host = parse_url($referer, PHP_URL_HOST);
// If the referer is the same domain as the current host, PASS.
$current_host = $_SERVER['HTTP_HOST'];
if (strpos($current_host, 'xn--') !== false)
{
$current_host = Context::decodeIdna($current_host);
}
if ($referer_host === $current_host)
{
return true;
}
// If the referer is the same domain as the default URL, PASS.
$default_url = Context::getDefaultUrl(); $default_url = Context::getDefaultUrl();
$referer = $_SERVER["HTTP_REFERER"]; if (strpos($default_url, 'xn--') !== false)
if(strpos($default_url, 'xn--') !== FALSE && strpos($referer, 'xn--') === FALSE)
{ {
$referer = Context::encodeIdna($referer); $default_url = Context::decodeIdna($default_url);
} }
if ($referer_host === parse_url($default_url, PHP_URL_HOST))
$default_url = parse_url($default_url); {
$referer = parse_url($referer); return true;
}
// Check if we have a virtual site with a matching domain.
$oModuleModel = getModel('module'); $oModuleModel = getModel('module');
$siteModuleInfo = $oModuleModel->getDefaultMid(); $siteModuleInfo = $oModuleModel->getDefaultMid();
$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl);
if($siteModuleInfo->site_srl == 0) if (strcasecmp($virtualSiteInfo->domain, Context::get('vid')) && stristr($virtualSiteInfo->domain, $referer_host))
{ {
if($default_url['host'] !== $referer['host']) return true;
{
return FALSE;
}
} }
else else
{ {
$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl); return false;
if(strtolower($virtualSiteInfo->domain) != strtolower(Context::get('vid')) && !strstr(strtolower($virtualSiteInfo->domain), strtolower($referer['host'])))
{
return FALSE;
}
} }
return TRUE;
} }
/** /**

2
modules/admin/admin.admin.controller.php
View file

@ -690,7 +690,7 @@ class adminAdminController extends admin
Rhymix\Framework\Config::save(); Rhymix\Framework\Config::save();
$this->setMessage('success_updated'); $this->setMessage('success_updated');
$this->setRedirectUrl(Context::get('success_return_url') ?: getNotEncodedUrl('', 'act', 'dispAdminConfigAdvanced')); $this->setRedirectUrl(Context::get('success_return_url') ?: $default_url . 'index.php?act=dispAdminConfigAdvanced');
} }
/** /**