mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-04 01:01:41 +09:00
Merge pull request #278 from kijin/pr/fix-csrf-false-positive
#275 기본 URL 변경에 따른 오류 해소
This commit is contained in:
Kijin Sung
commit
be83a34b1e
2 changed files with 41 additions and 25 deletions
|
|
@ -1183,44 +1183,60 @@ function requirePear()
|
|||
*/
|
||||
function checkCSRF()
|
||||
{
|
||||
// If this is not a POST request, FAIL.
|
||||
if ($_SERVER['REQUEST_METHOD'] != 'POST')
|
||||
{
|
||||
return FALSE;
|
||||
return false;
|
||||
}
|
||||
|
||||
$default_url = Context::getDefaultUrl();
|
||||
$referer = $_SERVER["HTTP_REFERER"];
|
||||
|
||||
if(strpos($default_url, 'xn--') !== FALSE && strpos($referer, 'xn--') === FALSE)
|
||||
// Get the referer. If the referer is empty, PASS.
|
||||
$referer = strval($_SERVER['HTTP_REFERER']);
|
||||
if ($referer === '')
|
||||
{
|
||||
$referer = Context::encodeIdna($referer);
|
||||
return true;
|
||||
}
|
||||
if (strpos($referer, 'xn--') !== false)
|
||||
{
|
||||
$referer = Context::decodeIdna($referer);
|
||||
}
|
||||
$referer_host = parse_url($referer, PHP_URL_HOST);
|
||||
|
||||
// If the referer is the same domain as the current host, PASS.
|
||||
$current_host = $_SERVER['HTTP_HOST'];
|
||||
if (strpos($current_host, 'xn--') !== false)
|
||||
{
|
||||
$current_host = Context::decodeIdna($current_host);
|
||||
}
|
||||
if ($referer_host === $current_host)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
$default_url = parse_url($default_url);
|
||||
$referer = parse_url($referer);
|
||||
// If the referer is the same domain as the default URL, PASS.
|
||||
$default_url = Context::getDefaultUrl();
|
||||
if (strpos($default_url, 'xn--') !== false)
|
||||
{
|
||||
$default_url = Context::decodeIdna($default_url);
|
||||
}
|
||||
if ($referer_host === parse_url($default_url, PHP_URL_HOST))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check if we have a virtual site with a matching domain.
|
||||
$oModuleModel = getModel('module');
|
||||
$siteModuleInfo = $oModuleModel->getDefaultMid();
|
||||
|
||||
if($siteModuleInfo->site_srl == 0)
|
||||
$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl);
|
||||
if (strcasecmp($virtualSiteInfo->domain, Context::get('vid')) && stristr($virtualSiteInfo->domain, $referer_host))
|
||||
{
|
||||
if($default_url['host'] !== $referer['host'])
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl);
|
||||
if(strtolower($virtualSiteInfo->domain) != strtolower(Context::get('vid')) && !strstr(strtolower($virtualSiteInfo->domain), strtolower($referer['host'])))
|
||||
{
|
||||
return FALSE;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* menu exposure check by isShow column
|
||||
* @param array $menu
|
||||
|
|
|
|||
|
|
@ -690,7 +690,7 @@ class adminAdminController extends admin
|
|||
Rhymix\Framework\Config::save();
|
||||
|
||||
$this->setMessage('success_updated');
|
||||
$this->setRedirectUrl(Context::get('success_return_url') ?: getNotEncodedUrl('', 'act', 'dispAdminConfigAdvanced'));
|
||||
$this->setRedirectUrl(Context::get('success_return_url') ?: $default_url . 'index.php?act=dispAdminConfigAdvanced');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue