fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-09 11:44:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Perform CSRF check for getLoginStatus separately

Browse source
This commit is contained in:
Kijin Sung 2022-10-20 16:56:17 +09:00
parent ed131897c5
commit ed649fb58c
2 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/member/conf/module.xml
View file

@ -32,7 +32,7 @@
<action name="dispMemberLogout" type="view" meta-noindex="true" /> <action name="dispMemberLogout" type="view" meta-noindex="true" />
<action name="dispMemberSpammer" type="view" permission="manager" check_var="module_srl" meta-noindex="true" /> <action name="dispMemberSpammer" type="view" permission="manager" check_var="module_srl" meta-noindex="true" />
<action name="getLoginStatus" type="model" method="POST" meta-noindex="true" /> <action name="getLoginStatus" type="model" method="POST" check_csrf="false" meta-noindex="true" />
<action name="getMemberMenu" type="model" /> <action name="getMemberMenu" type="model" />
<action name="getApiGroups" type="model" permission="root" /> <action name="getApiGroups" type="model" permission="root" />

5
modules/member/member.model.php
View file

@ -183,7 +183,10 @@ class memberModel extends member
$origin = strval(($_SERVER['HTTP_ORIGIN'] ?? '') ?: ($_SERVER['HTTP_REFERER'] ?? '')); $origin = strval(($_SERVER['HTTP_ORIGIN'] ?? '') ?: ($_SERVER['HTTP_REFERER'] ?? ''));
if ($origin !== '' && $origin !== 'null' && !Rhymix\Framework\URL::isInternalURL($origin)) if ($origin !== '' && $origin !== 'null' && !Rhymix\Framework\URL::isInternalURL($origin))
{ {
throw new Rhymix\Framework\Exceptions\SecurityViolation(); $this->setError(-1);
$this->setMessage('msg_security_violation');
$this->add('errorDetail', 'ERR_CSRF_INVALID_ORIGIN');
return;
} }
// Add CORS restriction // Add CORS restriction