github
/
KodExplorer
mirror of https://github.com/kalcaddle/KodExplorer
1
0
Fork 0
Code Issues Releases Wiki Activity

Update member.class.php 

CSRF Vulnerability Fixed by Ben Khlifa Fahmi (https://www.benkhlifa.com/) from the Tunisian Whitehats Security
pull/50/head
Ben Khlifa Fahmi 2015-12-30 19:43:26 -05:00
parent f249cef058
commit de6de027d1
1 changed files with 100 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
controller/member.class.php
View File

@ -1,107 +1,138 @@
<?php
/*
* @link http://www.kalcaddle.com/
* @author warlee | e-mail:kalcaddle@qq.com
* @copyright warlee 2014.(Shanghai)Co.,Ltd
* @license http://kalcaddle.com/tools/licenses/license.txt
*/
* @link http://www.kalcaddle.com/
* @author warlee | e-mail:kalcaddle@qq.com
* @copyright warlee 2014.(Shanghai)Co.,Ltd
* @license http://kalcaddle.com/tools/licenses/license.txt
* @Security : Ben Khlifa Fahmi - Tunisian Whitehats Security / https://www.benkhlifa.com/
*/
class member extends Controller{
class member extends Controller
{
private $sql;
function __construct() {
function __construct()
{
parent::__construct();
$this->tpl = TEMPLATE.'member/';
$this->sql=new fileCache(USER_SYSTEM.'member.php');
$this->tpl = TEMPLATE . 'member/';
$this->sql = new fileCache(USER_SYSTEM . 'member.php');
}
/**
* 获取用户列表数据
*/
public function get() {
public function get()
{
show_json($this->sql->get());
}
/**
* 用户添加
*/
public function add(){
if (!$this->in['name'] ||
!$this->in['password'] ||
!$this->in['role'] ) show_json($this->L["data_not_full"],false);
public function add()
{
if (!$this->in['name'] || !$this->in['password'] || !$this->in['role'])
show_json($this->L["data_not_full"], false);
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
$this->in['name'] = rawurldecode($this->in['name']);
$this->in['password'] = rawurldecode($this->in['password']);
$user = array(
'name' => rawurldecode($this->in['name']),
'password' => md5(rawurldecode($this->in['password'])),
'role' => $this->in['role'],
'status' => 0,
'status' => 0
);
if ($this->sql->add($this->in['name'],$user)) {
if ($this->sql->add($this->in['name'], $user)) {
$this->_initUser($this->in['name']);
show_json($this->L['success']);
show_json($referer);
}
show_json($this->L['error_repeat'], false);
}
} else {
header('Location: 403.php');
}
show_json($this->L['error_repeat'],false);
}
/**
* 编辑
*/
public function edit() {
if (!$this->in['name'] ||
!$this->in['name_to'] ||
!$this->in['role_to'] ) show_json($this->L["data_not_full"],false);
public function edit()
{
if (!$this->in['name'] || !$this->in['name_to'] || !$this->in['role_to'])
show_json($this->L["data_not_full"], false);
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
$this->in['name'] = rawurldecode($this->in['name']);
$this->in['name_to'] = rawurldecode($this->in['name_to']);
$this->in['password_to'] = rawurldecode($this->in['password_to']);
if ($this->in['name'] == 'admin') show_json($this->L['default_user_can_not_do'],false);
if ($this->in['name'] == 'admin')
show_json($this->L['default_user_can_not_do'], false);
//查找到一条记录,修改为该数组
$user = $this->sql->get($this->in['name']);
$user['name'] = $this->in['name_to'];
$user['role'] = $this->in['role_to'];
if (strlen($this->in['password_to'])>=1) {
if (strlen($this->in['password_to']) >= 1) {
$user['password'] = md5($this->in['password_to']);
}
if($this->sql->replace_update($this->in['name'],$user['name'],$user)){
rename(USER_PATH.$this->in['name'],USER_PATH.$this->in['name_to']);
if ($this->sql->replace_update($this->in['name'], $user['name'], $user)) {
rename(USER_PATH . $this->in['name'], USER_PATH . $this->in['name_to']);
show_json($this->L['success']);
}
show_json($this->L['error_repeat'],false);
show_json($this->L['error_repeat'], false);
}
} else {
header('Location: 403.php');
}
}
/**
* 删除
*/
public function del() {
public function del()
{
$name = $this->in['name'];
if (!$name) show_json($this->L["username_can_not_null"],false);
if ($name == 'admin') show_json($this->L['default_user_can_not_do'],false);
if($this->sql->delete($name)){
del_dir(USER_PATH.$name.'/');
if (!$name)
show_json($this->L["username_can_not_null"], false);
if ($name == 'admin')
show_json($this->L['default_user_can_not_do'], false);
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
if ($this->sql->delete($name)) {
del_dir(USER_PATH . $name . '/');
show_json($this->L['success']);
}
show_json($this->L['error'],false);
show_json($this->L['error'], false);
}
} else {
header('Location: 403.html');
}
}
//============内部处理函数=============
/**
*初始化用户数据和配置。
*/
public function _initUser($name){
$root = array('home','recycle','data');
public function _initUser($name)
{
$root = array(
'home',
'recycle',
'data'
);
$new_user_folder = $this->config['setting_system']['new_user_folder'];
$home = explode(',',$new_user_folder);
$home = explode(',', $new_user_folder);
$user_path = USER_PATH.$name.'/';
$user_path = USER_PATH . $name . '/';
mk_dir($user_path);
foreach ($root as $dir) {
mk_dir($user_path.$dir);
mk_dir($user_path . $dir);
}
foreach ($home as $dir) {
mk_dir($user_path.'home/'.$dir);
mk_dir($user_path . 'home/' . $dir);
}
fileCache::save($user_path.'data/config.php',$this->config['setting_default']);
fileCache::save($user_path . 'data/config.php', $this->config['setting_default']);
}
}