github
/
KodExplorer
mirror of https://github.com/kalcaddle/KodExplorer
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix CSRF vulnerabiltiy

pull/50/head
Ben Khlifa Fahmi 2016-01-01 15:45:19 -05:00
parent 2450ab9fc5
commit 998b36b297
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
controller/app.class.php
View File

@ -4,6 +4,7 @@
* @author warlee | e-mail:kalcaddle@qq.com * @author warlee | e-mail:kalcaddle@qq.com
* @copyright warlee 2014.(Shanghai)Co.,Ltd * @copyright warlee 2014.(Shanghai)Co.,Ltd
* @license http://kalcaddle.com/tools/licenses/license.txt * @license http://kalcaddle.com/tools/licenses/license.txt
* @Secured by Ben Khlifa Fahmi
*/ */
class app extends Controller{ class app extends Controller{
@ -81,9 +82,13 @@ class app extends Controller{
* 添加 * 添加
*/ */
public function add() { public function add() {
$res=$this->sql->add(rawurldecode($this->in['name']),$this->_init()); if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
$res=$this->sql->add(rawurldecode($this->in['name']),$this->_init());
if($res) show_json($this->L['success']); if($res) show_json($this->L['success']);
show_json($this->L['error_repeat'],false); show_json($this->L['error_repeat'],false);}}else{
header('Location: 403.php');
}
} }
/** /**
@ -91,21 +96,28 @@ class app extends Controller{
*/ */
public function edit() { public function edit() {
//查找到一条记录,修改为该数组 //查找到一条记录,修改为该数组
if($this->sql->replace_update( if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
if($this->sql->replace_update(
rawurldecode($this->in['old_name']), rawurldecode($this->in['old_name']),
rawurldecode($this->in['name']),$this->_init())){ rawurldecode($this->in['name']),$this->_init())){
show_json($this->L['success']); show_json($this->L['success']);
} }
show_json($this->L['error_repeat'],false); show_json($this->L['error_repeat'],false);}}else{
header('Location: 403.php');}
} }
/** /**
* 删除 * 删除
*/ */
public function del() { public function del() {
if($this->sql->delete(rawurldecode($this->in['name']))){ if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
if($this->sql->delete(rawurldecode($this->in['name']))){
show_json($this->L['success']); show_json($this->L['success']);
} }
show_json($this->L['error'],false); show_json($this->L['error'],false);}}else{
header('Location: 403.php');
}
} }
public function get_url_title(){ public function get_url_title(){