fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 03:01:43 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add more error codes in critical code paths in Context and ModuleHandler

Browse source
This commit is contained in:
Kijin Sung 2022-10-13 00:34:23 +09:00
parent e4e252c1b4
commit fd421c86fc
2 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
classes/context/Context.class.php
View file

@ -117,6 +117,7 @@ class Context
* @var string|bool * @var string|bool
*/ */
public $security_check = 'OK'; public $security_check = 'OK';
public $security_check_detail = '';
/** /**
* Singleton instance * Singleton instance
@ -1051,6 +1052,7 @@ class Context
if (!self::_recursiveCheckVar($_SERVER['HTTP_HOST']) || preg_match("/[\,\"\'\{\}\[\]\(\);$]/", $_SERVER['HTTP_HOST'])) if (!self::_recursiveCheckVar($_SERVER['HTTP_HOST']) || preg_match("/[\,\"\'\{\}\[\]\(\);$]/", $_SERVER['HTTP_HOST']))
{ {
self::$_instance->security_check = 'DENY ALL'; self::$_instance->security_check = 'DENY ALL';
self::$_instance->security_check_detail = 'ERR_UNSAFE_ENV';
} }
} }
@ -1184,6 +1186,7 @@ class Context
if(!Rhymix\Framework\Security::checkXXE($GLOBALS['HTTP_RAW_POST_DATA'])) if(!Rhymix\Framework\Security::checkXXE($GLOBALS['HTTP_RAW_POST_DATA']))
{ {
self::$_instance->security_check = 'DENY ALL'; self::$_instance->security_check = 'DENY ALL';
self::$_instance->security_check_detail = 'ERR_UNSAFE_XML';
$GLOBALS['HTTP_RAW_POST_DATA'] = ''; $GLOBALS['HTTP_RAW_POST_DATA'] = '';
return; return;
} }
@ -1257,6 +1260,7 @@ class Context
if(!UploadFileFilter::check($tmp_name, $val['name'])) if(!UploadFileFilter::check($tmp_name, $val['name']))
{ {
self::$_instance->security_check = 'DENY ALL'; self::$_instance->security_check = 'DENY ALL';
self::$_instance->security_check_detail = 'ERR_UNSAFE_FILE';
unset($_FILES[$key]); unset($_FILES[$key]);
continue; continue;
} }
@ -1280,6 +1284,7 @@ class Context
if(!UploadFileFilter::check($val['tmp_name'][$i], $val['name'][$i])) if(!UploadFileFilter::check($val['tmp_name'][$i], $val['name'][$i]))
{ {
self::$_instance->security_check = 'DENY ALL'; self::$_instance->security_check = 'DENY ALL';
self::$_instance->security_check_detail = 'ERR_UNSAFE_FILE';
$files = array(); $files = array();
unset($_FILES[$key]); unset($_FILES[$key]);
break; break;
@ -1315,6 +1320,7 @@ class Context
if(preg_match($pattern, $val)) if(preg_match($pattern, $val))
{ {
self::$_instance->security_check = $status; self::$_instance->security_check = $status;
self::$_instance->security_check_detail = 'ERR_UNSAFE_VAR';
if($status === 'DENY ALL') if($status === 'DENY ALL')
{ {
return false; return false;
@ -1422,6 +1428,7 @@ class Context
if($_val === null) if($_val === null)
{ {
self::$_instance->security_check = 'DENY ALL'; self::$_instance->security_check = 'DENY ALL';
self::$_instance->security_check_detail = 'ERR_UNSAFE_VAR';
} }
} }
elseif(in_array($key, array('search_target', 'search_keyword', 'xe_validator_id')) || ($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'GET') elseif(in_array($key, array('search_target', 'search_keyword', 'xe_validator_id')) || ($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'GET')

5
classes/module/ModuleHandler.class.php
View file

@ -73,12 +73,14 @@ class ModuleHandler extends Handler
if(!Context::get('logged_info')->isAdmin()) if(!Context::get('logged_info')->isAdmin())
{ {
$this->error = 'msg_security_violation'; $this->error = 'msg_security_violation';
$this->error_detail = $oContext->security_check_detail;
return; return;
} }
break; break;
case 'DENY ALL': case 'DENY ALL':
default: default:
$this->error = 'msg_security_violation'; $this->error = 'msg_security_violation';
$this->error_detail = $oContext->security_check_detail;
return; return;
} }
@ -138,6 +140,7 @@ class ModuleHandler extends Handler
case 'block': case 'block':
$this->error = 'The site does not exist'; $this->error = 'The site does not exist';
$this->error_detail = 'ERR_DOMAIN_NOT_FOUND';
$this->httpStatusCode = 404; $this->httpStatusCode = 404;
return true; return true;
@ -1041,7 +1044,7 @@ class ModuleHandler extends Handler
if($this->error) if($this->error)
{ {
// display content with message module instance // display content with message module instance
$oMessageObject = self::_createErrorMessage(-1, $this->error, $this->httpStatusCode, '', $oModule->get('rx_error_location')); $oMessageObject = self::_createErrorMessage(-1, $this->error, $this->httpStatusCode, $this->error_detail, $oModule->get('rx_error_location'));
// display Error Page // display Error Page
if(!in_array($oMessageObject->getHttpStatusCode(), array(200, 403))) if(!in_array($oMessageObject->getHttpStatusCode(), array(200, 403)))