mirror of
https://github.com/Oreolek/ifhub.club.git
synced 2024-05-19 09:18:18 +03:00
fix безопасности при отправки форм by Hrom
This commit is contained in:
parent
0d46747cad
commit
f867ab5a13
|
@ -171,7 +171,8 @@ class ActionBlog extends Action {
|
|||
*/
|
||||
if (!$this->checkBlogFields()) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Если всё ок то пытаемся создать блог
|
||||
*/
|
||||
|
@ -192,7 +193,7 @@ class ActionBlog extends Action {
|
|||
/**
|
||||
* Загрузка аватара, делаем ресайзы
|
||||
*/
|
||||
if (is_uploaded_file($_FILES['avatar']['tmp_name'])) {
|
||||
if (isset($_FILES['avatar']) and is_uploaded_file($_FILES['avatar']['tmp_name'])) {
|
||||
$sFileTmp=$_FILES['avatar']['tmp_name'];
|
||||
if ($sFileAvatar=func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_48x48",3000,3000,48,48)) {
|
||||
func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_24x24",3000,3000,24,24);
|
||||
|
@ -271,6 +272,7 @@ class ActionBlog extends Action {
|
|||
* Если нажали кнопку "Сохранить"
|
||||
*/
|
||||
if (isset($_REQUEST['submit_blog_add'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Запускаем проверку корректности ввода полей при редактировании блога
|
||||
*/
|
||||
|
@ -289,7 +291,7 @@ class ActionBlog extends Action {
|
|||
/**
|
||||
* Загрузка аватара, делаем ресайзы
|
||||
*/
|
||||
if (is_uploaded_file($_FILES['avatar']['tmp_name'])) {
|
||||
if (isset($_FILES['avatar']) and is_uploaded_file($_FILES['avatar']['tmp_name'])) {
|
||||
$sFileTmp=$_FILES['avatar']['tmp_name'];
|
||||
if ($sFileAvatar=func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_48x48",3000,3000,48,48)) {
|
||||
func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$oBlog->getOwnerId(),"avatar_blog_{$oBlog->getUrl()}_24x24",3000,3000,24,24);
|
||||
|
@ -372,6 +374,7 @@ class ActionBlog extends Action {
|
|||
* Обрабатываем сохранение формы
|
||||
*/
|
||||
if (isset($_REQUEST['submit_blog_admin'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
$aUserRank=getRequest('user_rank',array());
|
||||
if (!is_array($aUserRank)) {
|
||||
$aUserRank=array();
|
||||
|
@ -1131,6 +1134,7 @@ class ActionBlog extends Action {
|
|||
* Если нажали кнопку "Отправить"
|
||||
*/
|
||||
if (isset($_REQUEST['submit_comment'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверяем авторизованл ли пользователь
|
||||
*/
|
||||
|
|
|
@ -254,7 +254,8 @@ class ActionLink extends Action {
|
|||
*/
|
||||
if (!isset($_REQUEST['submit_topic_publish']) and !isset($_REQUEST['submit_topic_save'])) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверка корректности полей формы
|
||||
*/
|
||||
|
@ -384,7 +385,8 @@ class ActionLink extends Action {
|
|||
*/
|
||||
if (!$this->checkTopicFields()) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Определяем в какой блог делаем запись
|
||||
*/
|
||||
|
|
|
@ -46,6 +46,7 @@ class ActionLogin extends Action {
|
|||
* Если нажали кнопку "Войти"
|
||||
*/
|
||||
if (isset($_REQUEST['submit_login'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверяем есть ли такой юзер по логину
|
||||
*/
|
||||
|
@ -80,6 +81,7 @@ class ActionLogin extends Action {
|
|||
*
|
||||
*/
|
||||
protected function EventExit() {
|
||||
$this->Security_ValidateSendForm();
|
||||
$this->User_Logout();
|
||||
$this->Viewer_Assign('bRefreshToHome',true);
|
||||
}
|
||||
|
@ -120,6 +122,7 @@ class ActionLogin extends Action {
|
|||
* Обрабатываем запрос на смену пароля
|
||||
*/
|
||||
if (isset($_REQUEST['submit_reminder'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
if ((func_check(getRequest('mail'),'mail') and $oUser=$this->User_GetUserByMail(getRequest('mail')))) {
|
||||
/**
|
||||
* Формируем и отправляем ссылку на смену пароля
|
||||
|
|
|
@ -138,6 +138,7 @@ class ActionPage extends Action {
|
|||
* Замечание: если используется тип таблиц MyISAM, а InnoDB то возможно некорректное удаление вложенных страниц
|
||||
*/
|
||||
if ($this->GetParam(0)=='delete') {
|
||||
$this->Security_ValidateSendForm();
|
||||
if ($this->Page_deletePageById($this->GetParam(1))) {
|
||||
$this->Message_AddNotice($this->Lang_Get('page_admin_action_delete_ok'));
|
||||
} else {
|
||||
|
@ -166,7 +167,7 @@ class ActionPage extends Action {
|
|||
if (!$this->CheckPageFields()) {
|
||||
return ;
|
||||
}
|
||||
|
||||
$this->Security_ValidateSendForm();
|
||||
if ($oPageEdit->getId()==getRequest('page_pid')) {
|
||||
$this->Message_AddError($this->Lang_Get('system_error'));
|
||||
return;
|
||||
|
@ -213,6 +214,7 @@ class ActionPage extends Action {
|
|||
if (!$this->CheckPageFields()) {
|
||||
return ;
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Заполняем свойства
|
||||
*/
|
||||
|
|
|
@ -221,7 +221,8 @@ class ActionQuestion extends Action {
|
|||
*/
|
||||
if (!isset($_REQUEST['submit_topic_publish']) and !isset($_REQUEST['submit_topic_save'])) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверка корректности полей формы
|
||||
*/
|
||||
|
@ -357,7 +358,8 @@ class ActionQuestion extends Action {
|
|||
*/
|
||||
if (!$this->checkTopicFields($oTopic)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Определяем в какой блог делаем запись
|
||||
*/
|
||||
|
|
|
@ -71,6 +71,7 @@ class ActionRegistration extends Action {
|
|||
* Если нажали кнопку "Зарегистрироваться"
|
||||
*/
|
||||
if (isset($_REQUEST['submit_register'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
//Проверяем входные данные
|
||||
$bError=false;
|
||||
/**
|
||||
|
@ -249,7 +250,8 @@ class ActionRegistration extends Action {
|
|||
return parent::EventNotFound();
|
||||
}
|
||||
|
||||
if (isset($_REQUEST['submit_invite'])) {
|
||||
if (isset($_REQUEST['submit_invite'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* проверяем код приглашения на валидность
|
||||
*/
|
||||
|
|
|
@ -78,7 +78,8 @@ class ActionSettings extends Action {
|
|||
|
||||
$this->Viewer_AddHtmlTitle($this->Lang_Get('settings_menu_tuning'));
|
||||
|
||||
if (isset($_REQUEST['submit_settings_tuning'])) {
|
||||
if (isset($_REQUEST['submit_settings_tuning'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
$this->oUserCurrent->setSettingsNoticeNewTopic( getRequest('settings_notice_new_topic') ? 1 : 0 );
|
||||
$this->oUserCurrent->setSettingsNoticeNewComment( getRequest('settings_notice_new_comment') ? 1 : 0 );
|
||||
$this->oUserCurrent->setSettingsNoticeNewTalk( getRequest('settings_notice_new_talk') ? 1 : 0 );
|
||||
|
@ -108,6 +109,7 @@ class ActionSettings extends Action {
|
|||
$this->Viewer_AddHtmlTitle($this->Lang_Get('settings_menu_invite'));
|
||||
|
||||
if (isset($_REQUEST['submit_invite'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
$bError=false;
|
||||
if (!$this->ACL_CanSendInvite($this->oUserCurrent) and !$this->oUserCurrent->isAdministrator()) {
|
||||
$this->Message_AddError($this->Lang_Get('settings_invite_available_no'),$this->Lang_Get('error'));
|
||||
|
@ -138,6 +140,7 @@ class ActionSettings extends Action {
|
|||
* Если нажали кнопку "Сохранить"
|
||||
*/
|
||||
if (isset($_REQUEST['submit_profile_edit'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
$bError=false;
|
||||
/**
|
||||
* Заполняем профиль из полей формы
|
||||
|
@ -263,7 +266,7 @@ class ActionSettings extends Action {
|
|||
/**
|
||||
* Загрузка аватара, делаем ресайзы
|
||||
*/
|
||||
if (is_uploaded_file($_FILES['avatar']['tmp_name'])) {
|
||||
if (isset($_FILES['avatar']) and is_uploaded_file($_FILES['avatar']['tmp_name'])) {
|
||||
$sFileTmp=$_FILES['avatar']['tmp_name'];
|
||||
if ($sFileAvatar=func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$this->oUserCurrent->getId(),'avatar_100x100',3000,3000,100,100)) {
|
||||
func_img_resize($sFileTmp,DIR_UPLOADS_IMAGES.'/'.$this->oUserCurrent->getId(),'avatar_64x64',3000,3000,64,64);
|
||||
|
@ -292,7 +295,7 @@ class ActionSettings extends Action {
|
|||
/**
|
||||
* Загрузка фото, делаем ресайзы
|
||||
*/
|
||||
if (is_uploaded_file($_FILES['foto']['tmp_name'])) {
|
||||
if (isset($_FILES['foto']) and is_uploaded_file($_FILES['foto']['tmp_name'])) {
|
||||
$sDirUpload=DIR_UPLOADS_IMAGES.'/'.func_generator(1).'/'.func_generator(1).'/'.func_generator(1).'/'.func_generator(1).'/'.$this->oUserCurrent->getId();
|
||||
$sFileTmp=$_FILES['foto']['tmp_name'];
|
||||
if ($sFileFoto=func_img_resize($sFileTmp,$sDirUpload,func_generator(6),3000,3000,250)) {
|
||||
|
|
|
@ -67,7 +67,8 @@ class ActionTalk extends Action {
|
|||
**********************************************************************************
|
||||
*/
|
||||
|
||||
protected function EventDelete() {
|
||||
protected function EventDelete() {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Получаем номер сообщения из УРЛ и проверяем существует ли оно
|
||||
*/
|
||||
|
@ -93,6 +94,7 @@ class ActionTalk extends Action {
|
|||
* Обработка удаления сообщений
|
||||
*/
|
||||
if (isset($_REQUEST['submit_talk_del'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
$aTalksIdDel=getRequest('talk_del');
|
||||
if (is_array($aTalksIdDel)) {
|
||||
foreach ($aTalksIdDel as $sTalkId => $value) {
|
||||
|
@ -116,7 +118,8 @@ class ActionTalk extends Action {
|
|||
*/
|
||||
if (!isset($_REQUEST['submit_talk_add'])) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверка корректности полей формы
|
||||
*/
|
||||
|
@ -226,7 +229,8 @@ class ActionTalk extends Action {
|
|||
/**
|
||||
* Если нажали кнопку "Отправить"
|
||||
*/
|
||||
if (isset($_REQUEST['submit_comment'])) {
|
||||
if (isset($_REQUEST['submit_comment'])) {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверяем текст комментария
|
||||
*/
|
||||
|
|
|
@ -171,7 +171,8 @@ class ActionTopic extends Action {
|
|||
*
|
||||
* @return unknown
|
||||
*/
|
||||
protected function EventDelete() {
|
||||
protected function EventDelete() {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Получаем номер топика из УРЛ и проверяем существует ли он
|
||||
*/
|
||||
|
@ -323,7 +324,8 @@ class ActionTopic extends Action {
|
|||
*/
|
||||
if (!isset($_REQUEST['submit_topic_publish']) and !isset($_REQUEST['submit_topic_save'])) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверка корректности полей формы
|
||||
*/
|
||||
|
@ -473,7 +475,8 @@ class ActionTopic extends Action {
|
|||
*/
|
||||
if (!$this->checkTopicFields()) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Определяем в какой блог делаем запись
|
||||
*/
|
||||
|
|
49
classes/modules/sys_security/Security.class.php
Normal file
49
classes/modules/sys_security/Security.class.php
Normal file
|
@ -0,0 +1,49 @@
|
|||
<?php
|
||||
/*-------------------------------------------------------
|
||||
*
|
||||
* LiveStreet Engine Social Networking
|
||||
* Copyright © 2008 Mzhelskiy Maxim
|
||||
*
|
||||
*--------------------------------------------------------
|
||||
*
|
||||
* Official site: www.livestreet.ru
|
||||
* Contact e-mail: rus.engine@gmail.com
|
||||
*
|
||||
* GNU General Public License, version 2:
|
||||
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
|
||||
*
|
||||
---------------------------------------------------------
|
||||
*/
|
||||
|
||||
/**
|
||||
* Модуль безопасности
|
||||
*
|
||||
*/
|
||||
class LsSecurity extends Module {
|
||||
|
||||
/**
|
||||
* Инициализируем модуль
|
||||
*
|
||||
*/
|
||||
public function Init() {
|
||||
|
||||
}
|
||||
|
||||
|
||||
public function ValidateSendForm() {
|
||||
if (!($this->ValidateReferal() && 1)) {
|
||||
die("Hacking attemp!");
|
||||
}
|
||||
}
|
||||
|
||||
public function ValidateReferal() {
|
||||
if (isset($_SERVER['HTTP_REFERER'])) {
|
||||
$aUrl=parse_url($_SERVER['HTTP_REFERER']);
|
||||
if ($aUrl['host']==$_SERVER['HTTP_HOST']) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
?>
|
|
@ -27,4 +27,5 @@ require_once(DIR_SERVER_ROOT."/classes/lib/external/JsHttpRequest/JsHttpRequest.
|
|||
$JsHttpRequest = new JsHttpRequest("UTF-8");
|
||||
$oEngine=Engine::getInstance();
|
||||
$oEngine->InitModules();
|
||||
$oEngine->Security_ValidateSendForm();
|
||||
?>
|
Loading…
Reference in a new issue