github
/
KodExplorer
mirror of https://github.com/kalcaddle/KodExplorer
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix Security Issue 

A CSRF was located on this calss and has been fixed by Ben Khlifa Fahmi , the CSRF Allow an attacker to Add, Edit , Delete Group.
pull/50/head
Ben Khlifa Fahmi 2016-01-01 14:29:45 -05:00
parent 3727603694
commit 2450ab9fc5
1 changed files with 134 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
controller/group.class.php
View File

@ -4,85 +4,147 @@
* @author warlee | e-mail:kalcaddle@qq.com * @author warlee | e-mail:kalcaddle@qq.com
* @copyright warlee 2014.(Shanghai)Co.,Ltd * @copyright warlee 2014.(Shanghai)Co.,Ltd
* @license http://kalcaddle.com/tools/licenses/license.txt * @license http://kalcaddle.com/tools/licenses/license.txt
* @secured : Ben Khlifa Fahmi
*/ */
class group extends Controller
class group extends Controller{ {
private $sql; private $sql;
function __construct() { function __construct()
parent::__construct(); {
$this->sql=new fileCache(USER_SYSTEM.'group.php'); parent::__construct();
} $this->sql = new fileCache(USER_SYSTEM . 'group.php');
}
public function get() { public
show_json($this->sql->get());
}
/**
* 用户添加
*/
public function add(){
$group = $this->_init_data();
if($this->sql->add($this->in['role'],$group)){
show_json($this->L['success']);
}
show_json($this->L['error_repeat'],false);
}
/** function get()
* 编辑 {
*/ show_json($this->sql->get());
public function edit(){ }
$group = $this->_init_data();
$role_old = $this->in['role_old'];
if (!$role_old) show_json($this->L["groupname_can_not_null"],false);
if ($role_old == 'root') show_json($this->L['default_group_can_not_do'],false);
if ($this->sql->replace_update($role_old,$this->in['role'],$group)){ /**
$member = new fileCache(USER_SYSTEM.'member.php'); * 用户添加
if ($member -> update('role',$this->in['role'],$role_old)) { */
show_json($this->L['success']); public
}
show_json($this->L['group_move_user_error'],false);
}
show_json($this->L['error_repeat'],false);
}
/** function add()
* 删除 {
*/ if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"])
public function del() { {
$role = $this->in['role']; if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
if (!$role) show_json($this->L["groupname_can_not_null"],false); {
if ($role == 'root') show_json($this->L['default_group_can_not_do'],false); $group = $this->_init_data();
if($this->sql->delete($role)){ if ($this->sql->add($this->in['role'], $group))
$member = new fileCache(USER_SYSTEM.'member.php'); {
$member -> update('role','',$role);//改组用户设置为空 show_json($this->L['success']);
show_json($this->L['success']); }
}
show_json($this->L['error'],false);
}
show_json($this->L['error_repeat'], false);
}
}
else
{
header('Location: 403.php');
}
}
//===========内部调用============ /**
/** * 编辑
* 初始化数据 get */
* 只传键即可 &ext_not_allow=''&explorer-mkfile&explorer-pathRname public
*/
private function _init_data(){
if (strlen($this->in['role'])<1) show_json($this->L["groupname_can_not_null"],false);
if (strlen($this->in['name'])<1) show_json($this->L["groupdesc_can_not_null"],false);
$role_arr = array('role'=>$this->in['role'],'name'=>$this->in['name']); function edit()
$role_arr['ext_not_allow'] = $this->in['ext_not_allow']; {
foreach ($this->config['role_setting'] as $key => $actions) { if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"])
foreach ($actions as $action) { {
$k = $key.':'.$action; if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
if (isset($this->in[$k])){ {
$role_arr[$k] = 1; $group = $this->_init_data();
}else{ $role_old = $this->in['role_old'];
$role_arr[$k] = 0; if (!$role_old) show_json($this->L["groupname_can_not_null"], false);
if ($role_old == 'root') show_json($this->L['default_group_can_not_do'], false);
if ($this->sql->replace_update($role_old, $this->in['role'], $group))
{
$member = new fileCache(USER_SYSTEM . 'member.php');
if ($member->update('role', $this->in['role'], $role_old))
{
show_json($this->L['success']);
}
show_json($this->L['group_move_user_error'], false);
}
show_json($this->L['error_repeat'], false);
}
}
else
{
header('Location: 403.php');
}
}
/**
* 删除
*/
public
function del()
{
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"])
{
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
{
$role = $this->in['role'];
if (!$role) show_json($this->L["groupname_can_not_null"], false);
if ($role == 'root') show_json($this->L['default_group_can_not_do'], false);
if ($this->sql->delete($role))
{
$member = new fileCache(USER_SYSTEM . 'member.php');
$member->update('role', '', $role); //改组用户设置为空
show_json($this->L['success']);
}
show_json($this->L['error'], false);
} }
} }
else
{
header('Location: 403.php');
}
} }
return $role_arr;
} // ===========内部调用============
}
/**
* 初始化数据 get
* 只传键即可 &ext_not_allow=''&explorer-mkfile&explorer-pathRname
*/
private
function _init_data()
{
if (strlen($this->in['role']) < 1) show_json($this->L["groupname_can_not_null"], false);
if (strlen($this->in['name']) < 1) show_json($this->L["groupdesc_can_not_null"], false);
$role_arr = array(
'role' => $this->in['role'],
'name' => $this->in['name']
);
$role_arr['ext_not_allow'] = $this->in['ext_not_allow'];
foreach($this->config['role_setting'] as $key => $actions)
{
foreach($actions as $action)
{
$k = $key . ':' . $action;
if (isset($this->in[$k]))
{
$role_arr[$k] = 1;
}
else
{
$role_arr[$k] = 0;
}
}
}
return $role_arr;
}
}