github
/
KodExplorer
mirror of https://github.com/kalcaddle/KodExplorer
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix CSRF vulnerabiltiy

pull/50/head
Ben Khlifa Fahmi 2016-01-01 15:46:31 -05:00
parent 998b36b297
commit 9f7576760b
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
controller/editor.class.php
View File

@ -4,6 +4,7 @@
* @author warlee | e-mail:kalcaddle@qq.com * @author warlee | e-mail:kalcaddle@qq.com
* @copyright warlee 2014.(Shanghai)Co.,Ltd * @copyright warlee 2014.(Shanghai)Co.,Ltd
* @license http://kalcaddle.com/tools/licenses/license.txt * @license http://kalcaddle.com/tools/licenses/license.txt
* @secured by Ben Khlifa Fahmi
*/ */
class editor extends Controller{ class editor extends Controller{
@ -43,7 +44,9 @@ class editor extends Controller{
show_json($data); show_json($data);
} }
public function fileSave(){ public function fileSave(){
$filestr = rawurldecode($this->in['filestr']); if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
$filestr = rawurldecode($this->in['filestr']);
$charset = $this->in['charset']; $charset = $this->in['charset'];
$path =_DIR($this->in['path']); $path =_DIR($this->in['path']);
if (!is_writable($path)) show_json($this->L['no_permission_write_file'],false); if (!is_writable($path)) show_json($this->L['no_permission_write_file'],false);
@ -55,6 +58,9 @@ class editor extends Controller{
fwrite($fp,$filestr); fwrite($fp,$filestr);
fclose($fp); fclose($fp);
show_json($this->L['save_success']); show_json($this->L['save_success']);
}}else{
header('Location: index.php');
}
} }
/* /*