ifhub/ifhub.club
1
0
Fork 0
mirror of https://github.com/Oreolek/ifhub.club.git synced 2024-05-19 09:18:18 +03:00
Code Issues Releases Wiki Activity

fix безопасности при отправки форм by Hrom

Browse source
This commit is contained in:
Mzhelskiy Maxim 2009-05-21 14:50:55 +00:00
parent 0d46747cad
commit f867ab5a13
12 changed files with 94 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
classes/actions/ActionBlog.class.php
View file

@ -171,7 +171,8 @@ class ActionBlog extends Action {
*/
if (!$this->checkBlogFields()) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Если всё ок то пытаемся создать блог
*/
@ -192,7 +193,7 @@ class ActionBlog extends Action {
/**
* Загрузка аватара, делаем ресайзы
*/
if (is_uploaded_file($_FILES['avatar']['tmp_name'])) {
if (isset($_FILES['avatar']) and is_uploaded_file($_FILES['avatar']['tmp_name'])) {
$sFileTmp=$_FILES['avatar']['tmp_name'];
if ($sFileAvatar=func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_48x48",3000,3000,48,48)) {
func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_24x24",3000,3000,24,24);
@ -271,6 +272,7 @@ class ActionBlog extends Action {
* Если нажали кнопку "Сохранить"
*/
if (isset($_REQUEST['submit_blog_add'])) {
$this->Security_ValidateSendForm();
/**
* Запускаем проверку корректности ввода полей при редактировании блога
*/
@ -289,7 +291,7 @@ class ActionBlog extends Action {
/**
* Загрузка аватара, делаем ресайзы
*/
if (is_uploaded_file($_FILES['avatar']['tmp_name'])) {
if (isset($_FILES['avatar']) and is_uploaded_file($_FILES['avatar']['tmp_name'])) {
$sFileTmp=$_FILES['avatar']['tmp_name'];
if ($sFileAvatar=func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_48x48",3000,3000,48,48)) {
func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_24x24",3000,3000,24,24);
@ -372,6 +374,7 @@ class ActionBlog extends Action {
* Обрабатываем сохранение формы
*/
if (isset($_REQUEST['submit_blog_admin'])) {
$this->Security_ValidateSendForm();
$aUserRank=getRequest('user_rank',array());
if (!is_array($aUserRank)) {
$aUserRank=array();
@ -1131,6 +1134,7 @@ class ActionBlog extends Action {
* Если нажали кнопку "Отправить"
*/
if (isset($_REQUEST['submit_comment'])) {
$this->Security_ValidateSendForm();
/**
* Проверяем авторизованл ли пользователь
*/

6
classes/actions/ActionLink.class.php
View file

@ -254,7 +254,8 @@ class ActionLink extends Action {
*/
if (!isset($_REQUEST['submit_topic_publish']) and !isset($_REQUEST['submit_topic_save'])) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Проверка корректности полей формы
*/
@ -384,7 +385,8 @@ class ActionLink extends Action {
*/
if (!$this->checkTopicFields()) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Определяем в какой блог делаем запись
*/

3
classes/actions/ActionLogin.class.php
View file

@ -46,6 +46,7 @@ class ActionLogin extends Action {
* Если нажали кнопку "Войти"
*/
if (isset($_REQUEST['submit_login'])) {
$this->Security_ValidateSendForm();
/**
* Проверяем есть ли такой юзер по логину
*/
@ -80,6 +81,7 @@ class ActionLogin extends Action {
*
*/
protected function EventExit() {
$this->Security_ValidateSendForm();
$this->User_Logout();
$this->Viewer_Assign('bRefreshToHome',true);
}
@ -120,6 +122,7 @@ class ActionLogin extends Action {
* Обрабатываем запрос на смену пароля
*/
if (isset($_REQUEST['submit_reminder'])) {
$this->Security_ValidateSendForm();
if ((func_check(getRequest('mail'),'mail') and $oUser=$this->User_GetUserByMail(getRequest('mail')))) {
/**
* Формируем и отправляем ссылку на смену пароля

4
classes/actions/ActionPage.class.php
View file

@ -138,6 +138,7 @@ class ActionPage extends Action {
* Замечание: если используется тип таблиц MyISAM, а InnoDB то возможно некорректное удаление вложенных страниц
*/
if ($this->GetParam(0)=='delete') {
$this->Security_ValidateSendForm();
if ($this->Page_deletePageById($this->GetParam(1))) {
$this->Message_AddNotice($this->Lang_Get('page_admin_action_delete_ok'));
} else {
@ -166,7 +167,7 @@ class ActionPage extends Action {
if (!$this->CheckPageFields()) {
return ;
}
$this->Security_ValidateSendForm();
if ($oPageEdit->getId()==getRequest('page_pid')) {
$this->Message_AddError($this->Lang_Get('system_error'));
return;
@ -213,6 +214,7 @@ class ActionPage extends Action {
if (!$this->CheckPageFields()) {
return ;
}
$this->Security_ValidateSendForm();
/**
* Заполняем свойства
*/

6
classes/actions/ActionQuestion.class.php
View file

@ -221,7 +221,8 @@ class ActionQuestion extends Action {
*/
if (!isset($_REQUEST['submit_topic_publish']) and !isset($_REQUEST['submit_topic_save'])) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Проверка корректности полей формы
*/
@ -357,7 +358,8 @@ class ActionQuestion extends Action {
*/
if (!$this->checkTopicFields($oTopic)) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Определяем в какой блог делаем запись
*/

4
classes/actions/ActionRegistration.class.php
View file

@ -71,6 +71,7 @@ class ActionRegistration extends Action {
* Если нажали кнопку "Зарегистрироваться"
*/
if (isset($_REQUEST['submit_register'])) {
$this->Security_ValidateSendForm();
//Проверяем входные данные
$bError=false;
/**
@ -249,7 +250,8 @@ class ActionRegistration extends Action {
return parent::EventNotFound();
}
if (isset($_REQUEST['submit_invite'])) {
if (isset($_REQUEST['submit_invite'])) {
$this->Security_ValidateSendForm();
/**
* проверяем код приглашения на валидность
*/

9
classes/actions/ActionSettings.class.php
View file

@ -78,7 +78,8 @@ class ActionSettings extends Action {
$this->Viewer_AddHtmlTitle($this->Lang_Get('settings_menu_tuning'));
if (isset($_REQUEST['submit_settings_tuning'])) {
if (isset($_REQUEST['submit_settings_tuning'])) {
$this->Security_ValidateSendForm();
$this->oUserCurrent->setSettingsNoticeNewTopic( getRequest('settings_notice_new_topic') ? 1 : 0 );
$this->oUserCurrent->setSettingsNoticeNewComment( getRequest('settings_notice_new_comment') ? 1 : 0 );
$this->oUserCurrent->setSettingsNoticeNewTalk( getRequest('settings_notice_new_talk') ? 1 : 0 );
@ -108,6 +109,7 @@ class ActionSettings extends Action {
$this->Viewer_AddHtmlTitle($this->Lang_Get('settings_menu_invite'));
if (isset($_REQUEST['submit_invite'])) {
$this->Security_ValidateSendForm();
$bError=false;
if (!$this->ACL_CanSendInvite($this->oUserCurrent) and !$this->oUserCurrent->isAdministrator()) {
$this->Message_AddError($this->Lang_Get('settings_invite_available_no'),$this->Lang_Get('error'));
@ -138,6 +140,7 @@ class ActionSettings extends Action {
* Если нажали кнопку "Сохранить"
*/
if (isset($_REQUEST['submit_profile_edit'])) {
$this->Security_ValidateSendForm();
$bError=false;
/**
* Заполняем профиль из полей формы
@ -263,7 +266,7 @@ class ActionSettings extends Action {
/**
* Загрузка аватара, делаем ресайзы
*/
if (is_uploaded_file($_FILES['avatar']['tmp_name'])) {
if (isset($_FILES['avatar']) and is_uploaded_file($_FILES['avatar']['tmp_name'])) {
$sFileTmp=$_FILES['avatar']['tmp_name'];
if ($sFileAvatar=func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$this->oUserCurrent->getId(),'avatar_100x100',3000,3000,100,100)) {
func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$this->oUserCurrent->getId(),'avatar_64x64',3000,3000,64,64);
@ -292,7 +295,7 @@ class ActionSettings extends Action {
/**
* Загрузка фото, делаем ресайзы
*/
if (is_uploaded_file($_FILES['foto']['tmp_name'])) {
if (isset($_FILES['foto']) and is_uploaded_file($_FILES['foto']['tmp_name'])) {
$sDirUpload=DIR_UPLOADS_IMAGES.'/'.func_generator(1).'/'.func_generator(1).'/'.func_generator(1).'/'.func_generator(1).'/'.$this->oUserCurrent->getId();
$sFileTmp=$_FILES['foto']['tmp_name'];
if ($sFileFoto=func_img_resize($sFileTmp,$sDirUpload,func_generator(6),3000,3000,250)) {

10
classes/actions/ActionTalk.class.php
View file

@ -67,7 +67,8 @@ class ActionTalk extends Action {
**********************************************************************************
*/
protected function EventDelete() {
protected function EventDelete() {
$this->Security_ValidateSendForm();
/**
* Получаем номер сообщения из УРЛ и проверяем существует ли оно
*/
@ -93,6 +94,7 @@ class ActionTalk extends Action {
* Обработка удаления сообщений
*/
if (isset($_REQUEST['submit_talk_del'])) {
$this->Security_ValidateSendForm();
$aTalksIdDel=getRequest('talk_del');
if (is_array($aTalksIdDel)) {
foreach ($aTalksIdDel as $sTalkId => $value) {
@ -116,7 +118,8 @@ class ActionTalk extends Action {
*/
if (!isset($_REQUEST['submit_talk_add'])) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Проверка корректности полей формы
*/
@ -226,7 +229,8 @@ class ActionTalk extends Action {
/**
* Если нажали кнопку "Отправить"
*/
if (isset($_REQUEST['submit_comment'])) {
if (isset($_REQUEST['submit_comment'])) {
$this->Security_ValidateSendForm();
/**
* Проверяем текст комментария
*/

9
classes/actions/ActionTopic.class.php
View file

@ -171,7 +171,8 @@ class ActionTopic extends Action {
*
* @return unknown
*/
protected function EventDelete() {
protected function EventDelete() {
$this->Security_ValidateSendForm();
/**
* Получаем номер топика из УРЛ и проверяем существует ли он
*/
@ -323,7 +324,8 @@ class ActionTopic extends Action {
*/
if (!isset($_REQUEST['submit_topic_publish']) and !isset($_REQUEST['submit_topic_save'])) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Проверка корректности полей формы
*/
@ -473,7 +475,8 @@ class ActionTopic extends Action {
*/
if (!$this->checkTopicFields()) {
return false;
}
}
$this->Security_ValidateSendForm();
/**
* Определяем в какой блог делаем запись
*/

49
classes/modules/sys_security/Security.class.php Normal file
View file

@ -0,0 +1,49 @@
<?php
/*-------------------------------------------------------
*
* LiveStreet Engine Social Networking
* Copyright © 2008 Mzhelskiy Maxim
*
*--------------------------------------------------------
*
* Official site: www.livestreet.ru
* Contact e-mail: rus.engine@gmail.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
---------------------------------------------------------
*/
/**
* Модуль безопасности
*
*/
class LsSecurity extends Module {
/**
* Инициализируем модуль
*
*/
public function Init() {
}
public function ValidateSendForm() {
if (!($this->ValidateReferal() && 1)) {
die("Hacking attemp!");
}
}
public function ValidateReferal() {
if (isset($_SERVER['HTTP_REFERER'])) {
$aUrl=parse_url($_SERVER['HTTP_REFERER']);
if ($aUrl['host']==$_SERVER['HTTP_HOST']) {
return true;
}
}
return false;
}
}
?>

1
config/config.ajax.php
View file

@ -27,4 +27,5 @@ require_once(DIR_SERVER_ROOT."/classes/lib/external/JsHttpRequest/JsHttpRequest.
$JsHttpRequest = new JsHttpRequest("UTF-8");
$oEngine=Engine::getInstance();
$oEngine->InitModules();
$oEngine->Security_ValidateSendForm();
?>

2
index.php
View file

@ -16,7 +16,7 @@
*/
error_reporting(E_ALL);
ini_set('display_errors', 1);
define('LS_VERSION','0.3');
define('LS_VERSION','0.3.1');
define('SYS_HACKER_CONSOLE',false);
header('Content-Type: text/html; charset=utf-8');