Fix unauthorized config manipulation in document and comment modules

Reported by @conory
2026-01-09 03:32:00 +09:00 · 2017-03-01 23:35:12 +09:00 · 2017-03-01 23:35:12 +09:00 · dc84dd1310
commit dc84dd1310
parent f1c24a4690
2 changed files with 47 additions and 20 deletions
--- a/modules/comment/comment.controller.php
+++ b/modules/comment/comment.controller.php
@ -1525,14 +1525,28 @@ class commentController extends comment
 	 */
 	function procCommentInsertModuleConfig()
 	{
-		$module_srl = Context::get('target_module_srl');
-		if(preg_match('/^([0-9,]+)$/', $module_srl))
+		$target_module_srl = Context::get('target_module_srl');
+		$target_module_srl = array_map('trim', explode(',', $target_module_srl));
+		$logged_info = Context::get('logged_info');
+		$module_srl = array();
+		$oModuleModel = getModel('module');
+		foreach ($target_module_srl as $srl)
 		{
-			$module_srl = explode(',', $module_srl);
-		}
-		else
-		{
-			$module_srl = array($module_srl);
+			if (!$srl) continue;
+			
+			$module_info = $oModuleModel->getModuleInfoByModuleSrl($srl);
+			if (!$module_info->module_srl)
+			{
+				return new Object(-1, 'msg_invalid_request');
+			}
+			
+			$module_grant = $oModuleModel->getGrant($module_info, $logged_info);
+			if (!$module_grant->manager)
+			{
+				return new Object(-1, 'msg_not_permitted');
+			}
+			
+			$module_srl[] = $srl;
 		}

 		$comment_config = new stdClass();
@ -1560,14 +1574,8 @@ class commentController extends comment
 			$comment_config->use_comment_validation = 'N';
 		}

-		for($i = 0; $i < count($module_srl); $i++)
+		foreach ($module_srl as $srl)
 		{
-			$srl = trim($module_srl[$i]);
-			if(!$srl)
-			{
-				continue;
-			}
-
 			$output = $this->setCommentModuleConfig($srl, $comment_config);
 		}

--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@ -2621,9 +2621,29 @@ class documentController extends document
 	 */
 	function procDocumentInsertModuleConfig()
 	{
-		$module_srl = Context::get('target_module_srl');
-		if(preg_match('/^([0-9,]+)$/',$module_srl)) $module_srl = explode(',',$module_srl);
-		else $module_srl = array($module_srl);
+		$target_module_srl = Context::get('target_module_srl');
+		$target_module_srl = array_map('trim', explode(',', $target_module_srl));
+		$logged_info = Context::get('logged_info');
+		$module_srl = array();
+		$oModuleModel = getModel('module');
+		foreach ($target_module_srl as $srl)
+		{
+			if (!$srl) continue;
+			
+			$module_info = $oModuleModel->getModuleInfoByModuleSrl($srl);
+			if (!$module_info->module_srl)
+			{
+				return new Object(-1, 'msg_invalid_request');
+			}
+			
+			$module_grant = $oModuleModel->getGrant($module_info, $logged_info);
+			if (!$module_grant->manager)
+			{
+				return new Object(-1, 'msg_not_permitted');
+			}
+			
+			$module_srl[] = $srl;
+		}

 		$document_config = new stdClass();
 		$document_config->use_history = Context::get('use_history');
@ -2638,12 +2658,11 @@ class documentController extends document
 		$document_config->use_status = Context::get('use_status');

 		$oModuleController = getController('module');
-		for($i=0;$i<count($module_srl);$i++)
+		foreach ($module_srl as $srl)
 		{
-			$srl = trim($module_srl[$i]);
-			if(!$srl) continue;
 			$output = $oModuleController->insertModulePartConfig('document',$srl,$document_config);
 		}
+		
 		$this->setError(-1);
 		$this->setMessage('success_updated', 'info');