Fix Security Issue

A CSRF was located on this calss and has been fixed by Ben Khlifa Fahmi , the CSRF Allow an attacker to Add, Edit , Delete Group.
2016-01-01 14:29:45 -05:00 · 2016-01-01 14:29:45 -05:00 · 2450ab9fc5
parent 3727603694
commit 2450ab9fc5
1 changed files with 134 additions and 72 deletions
--- a/controller/group.class.php
+++ b/controller/group.class.php
@ -4,85 +4,147 @@
 * @author warlee | e-mail:kalcaddle@qq.com
 * @copyright warlee 2014.(Shanghai)Co.,Ltd
 * @license http://kalcaddle.com/tools/licenses/license.txt
 * @secured : Ben Khlifa Fahmi
 */
 class group extends Controller
-class group extends Controller{
+	{
 	private $sql;
-    function __construct()    {
+	function __construct()
 		{
 		parent::__construct();
-        $this->sql=new fileCache(USER_SYSTEM.'group.php');
+		$this->sql = new fileCache(USER_SYSTEM . 'group.php');
 		}
-    public function get() {
+	public
 	function get()
 		{
 		show_json($this->sql->get());
 		}
 	/**
 	 * 用户添加
 	 */
-    public function add(){
+	public
 	function add()
 		{
 		if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"])
 			{
 			if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
 				{
 				$group = $this->_init_data();
-        if($this->sql->add($this->in['role'],$group)){
+				if ($this->sql->add($this->in['role'], $group))
 					{
 					show_json($this->L['success']);
 					}
-        show_json($this->L['error_repeat'],false);
+
 				show_json($this->L['error_repeat'], false);
 				}
 			}
 		  else
 			{
 			header('Location: 403.php');
 			}
 		}
 	/**
 	 * 编辑
 	 */
-    public function edit(){
+	public
 	function edit()
 		{
 		if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"])
 			{
 			if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
 				{
 				$group = $this->_init_data();
 				$role_old = $this->in['role_old'];
-        if (!$role_old) show_json($this->L["groupname_can_not_null"],false);
+				if (!$role_old) show_json($this->L["groupname_can_not_null"], false);
-        if ($role_old == 'root') show_json($this->L['default_group_can_not_do'],false);
+				if ($role_old == 'root') show_json($this->L['default_group_can_not_do'], false);
-
+				if ($this->sql->replace_update($role_old, $this->in['role'], $group))
-        if ($this->sql->replace_update($role_old,$this->in['role'],$group)){
+					{
-            $member = new fileCache(USER_SYSTEM.'member.php');
+					$member = new fileCache(USER_SYSTEM . 'member.php');
-            if ($member -> update('role',$this->in['role'],$role_old)) {
+					if ($member->update('role', $this->in['role'], $role_old))
 						{
 						show_json($this->L['success']);
 						}
-            show_json($this->L['group_move_user_error'],false);
+
 					show_json($this->L['group_move_user_error'], false);
 					}
 				show_json($this->L['error_repeat'], false);
 				}
 			}
 		  else
 			{
 			header('Location: 403.php');
 			}
        show_json($this->L['error_repeat'],false);
 		}
 	/**
 	 * 删除
 	 */
-    public function del() {
+	public
 	function del()
 		{
 		if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"])
 			{
 			if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
 				{
            		$role = $this->in['role'];
-        if (!$role) show_json($this->L["groupname_can_not_null"],false);
+		            if (!$role) show_json($this->L["groupname_can_not_null"], false);
-        if ($role == 'root') show_json($this->L['default_group_can_not_do'],false);
+		            if ($role == 'root') show_json($this->L['default_group_can_not_do'], false);
-        if($this->sql->delete($role)){
+		            if ($this->sql->delete($role))
-            $member = new fileCache(USER_SYSTEM.'member.php');
+			            {
-            $member -> update('role','',$role);//改组用户设置为空
+			                $member = new fileCache(USER_SYSTEM . 'member.php');
 			                $member->update('role', '', $role); //改组用户设置为空
 			                show_json($this->L['success']);
 			            }
-        show_json($this->L['error'],false);
+		            show_json($this->L['error'], false);
                }
            }
            else
            {
                header('Location: 403.php');
            }
        }
 	// ===========内部调用============
    //===========内部调用============
 	/**
 	 * 初始化数据 get
 	 * 只传键即可  &ext_not_allow=''&explorer-mkfile&explorer-pathRname
 	 */
-    private function _init_data(){
+	private
-        if (strlen($this->in['role'])<1) show_json($this->L["groupname_can_not_null"],false);
+	function _init_data()
-        if (strlen($this->in['name'])<1) show_json($this->L["groupdesc_can_not_null"],false);
+		{
-        
+		if (strlen($this->in['role']) < 1) show_json($this->L["groupname_can_not_null"], false);
-        $role_arr = array('role'=>$this->in['role'],'name'=>$this->in['name']);
+		if (strlen($this->in['name']) < 1) show_json($this->L["groupdesc_can_not_null"], false);
 		$role_arr = array(
 			'role' => $this->in['role'],
 			'name' => $this->in['name']
 		);
 		$role_arr['ext_not_allow'] = $this->in['ext_not_allow'];
-        foreach ($this->config['role_setting'] as $key => $actions) {
+		foreach($this->config['role_setting'] as $key => $actions)
-            foreach ($actions as $action) {
+			{
-                $k = $key.':'.$action;
+			foreach($actions as $action)
-                if (isset($this->in[$k])){
+				{
 				$k = $key . ':' . $action;
 				if (isset($this->in[$k]))
 					{
 					$role_arr[$k] = 1;
-                }else{
+					}
 				  else
 					{
 					$role_arr[$k] = 0;
 					}
 				}
 			}
 		return $role_arr;
 		}
-}
+	}