fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 17:21:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix RVE-2023-6 (validate module_srl when uploading/deleting)

Browse source
This commit is contained in:
Kijin Sung 2023-11-02 13:19:41 +09:00
parent e7eadcc6f1
commit bffa50dd15
3 changed files with 28 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/editor/editor.controller.php
View file

@ -328,11 +328,10 @@ class EditorController extends Editor
$editor_sequence = Context::get('editor_sequence');
$primary_key = Context::get('primary_key');
$oEditorModel = getModel('editor');
$oFileController = getController('file');
$saved_doc = $oEditorModel->getSavedDoc(null);
$oFileController->setUploadInfo($editor_sequence, $saved_doc->document_srl);
FileController::setUploadInfo($editor_sequence, $saved_doc->document_srl, intval($saved_doc->module_srl));
$vars = $this->getVariables();
$this->add("editor_sequence", $editor_sequence);
$this->add("key", $primary_key);

4
modules/editor/editor.model.php
View file

@ -255,8 +255,7 @@ class EditorModel extends Editor
$upload_status = FileModel::getUploadStatus();
Context::set('upload_status', $upload_status);
// Upload enabled (internally caching)
$oFileController = getController('file');
$oFileController->setUploadInfo($option->editor_sequence, $upload_target_srl);
FileController::setUploadInfo($option->editor_sequence, $upload_target_srl, $option->module_srl ?? 0);
// Check if the file already exists
if($upload_target_srl) $files_count = FileModel::getFilesCount($upload_target_srl);
}
@ -294,6 +293,7 @@ class EditorModel extends Editor
// Initialize options
$option = new stdClass();
$option->module_type = $type;
$option->module_srl = (int)$module_srl;
// Convert configuration keys according to type (document or comment).
if($type == 'document')

37
modules/file/file.controller.php
View file

@ -31,17 +31,19 @@ class FileController extends File
// An error appears if not a normally uploaded file
if(!$file_info || !is_uploaded_file($file_info['tmp_name'])) exit();
// Basic variables setting
// Validate editor_sequence and module_srl.
$editor_sequence = Context::get('editor_sequence');
$module_srl = $this->module_srl;
// Exit a session if there is neither upload permission nor information
if(!$_SESSION['upload_info'][$editor_sequence]->enabled)
if (empty($_SESSION['upload_info'][$editor_sequence]->enabled))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if ($_SESSION['upload_info'][$editor_sequence]->module_srl && $_SESSION['upload_info'][$editor_sequence]->module_srl !== $module_srl)
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
// Get upload_target_srl
// Validate upload_target_srl.
$upload_target_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
$submitted_upload_target_srl = intval(Context::get('uploadTargetSrl')) ?: intval(Context::get('upload_target_srl'));
if ($submitted_upload_target_srl && $submitted_upload_target_srl !== intval($upload_target_srl))
@ -171,12 +173,16 @@ class FileController extends File
function procFileIframeUpload()
{
// Basic variables setting
$editor_sequence = Context::get('editor_sequence');
$callback = Context::get('callback');
$module_srl = $this->module_srl;
// Exit a session if there is neither upload permission nor information
if(!$_SESSION['upload_info'][$editor_sequence]->enabled)
// Validate editor_sequence and module_srl.
$editor_sequence = Context::get('editor_sequence');
$module_srl = $this->module_srl;
if (empty($_SESSION['upload_info'][$editor_sequence]->enabled))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if ($_SESSION['upload_info'][$editor_sequence]->module_srl && $_SESSION['upload_info'][$editor_sequence]->module_srl !== $module_srl)
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
@ -605,6 +611,7 @@ class FileController extends File
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
$module_srl = $_SESSION['upload_info'][$editor_sequence]->module_srl ?? 0;
$srls = explode(',',$file_srl);
if(!count($srls)) return;
@ -621,6 +628,7 @@ class FileController extends File
$file_info = $output->data;
if(!$file_info || $file_info->upload_target_srl != $upload_target_srl) continue;
if($module_srl && !$file_info->module_srl != $module_srl) continue;
if(!FileModel::isDeletable($file_info)) continue;
$output = $this->deleteFile($file_srl);
}
@ -728,9 +736,10 @@ class FileController extends File
*
* @param int $editor_sequence
* @param int $upload_target_srl
* @param int $module_srl
* @return int
*/
function setUploadInfo($editor_sequence = 0, $upload_target_srl = 0)
public static function setUploadInfo($editor_sequence = 0, $upload_target_srl = 0, $module_srl = 0)
{
if(!$editor_sequence)
{
@ -749,8 +758,12 @@ class FileController extends File
$_SESSION['upload_info'][$editor_sequence] = new stdClass();
}
$_SESSION['upload_info'][$editor_sequence]->enabled = true;
$_SESSION['upload_info'][$editor_sequence]->upload_target_srl = $upload_target_srl;
$_SESSION['upload_info'][$editor_sequence]->upload_target_srl = (int)$upload_target_srl;
$_SESSION['upload_info'][$editor_sequence]->module_srl = (int)$module_srl;
if (!$module_srl)
{
trigger_error('FileController::setUploadInfo() called without module_srl', E_USER_WARNING);
}
return $editor_sequence;
}