Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-04-28 17:16:41 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Do not use IDs from form fields

Browse Source
This commit is contained in:
Dmitriy Simushev 2014-05-23 11:19:53 +00:00
parent 9527ef632f
commit 36b817ac58
12 changed files with 7 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/mibew/libs/classes/Mibew/Controller/CannedMessageController.php
View File

@ -145,7 +145,7 @@ class CannedMessageController extends AbstractController
set_csrf_token(); set_csrf_token();
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
$message_id = $request->attributes->getInt('message_id', false); $message_id = $request->attributes->getInt('message_id');
$page = array( $page = array(
// Use errors list stored in the request. We need to do so to have // Use errors list stored in the request. We need to do so to have
// an ability to pass the request from the "submitEditForm" action. // an ability to pass the request from the "submitEditForm" action.
@ -205,15 +205,9 @@ class CannedMessageController extends AbstractController
csrf_check_token($request); csrf_check_token($request);
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
$message_id = $request->attributes->getInt('message_id');
$errors = array(); $errors = array();
// Use value from the form and not from the path to make sure it is
// correct. If not, treat the param as empty one.
$message_id = $request->request->get('key');
if (!preg_match("/^(\d{1,10})?$/", $message_id)) {
$message_id = false;
}
$title = $request->request->get('title'); $title = $request->request->get('title');
if (!$title) { if (!$title) {
$errors[] = no_field("form.field.title"); $errors[] = no_field("form.field.title");

9
src/mibew/libs/classes/Mibew/Controller/Group/SettingsController.php
View File

@ -38,7 +38,7 @@ class SettingsController extends AbstractController
set_csrf_token(); set_csrf_token();
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
$group_id = $request->attributes->getInt('group_id', false); $group_id = $request->attributes->getInt('group_id');
$page = array( $page = array(
'gid' => false, 'gid' => false,
@ -110,12 +110,7 @@ class SettingsController extends AbstractController
$errors = array(); $errors = array();
// Use value from the form and not from the path to make sure it is $group_id = $request->attributes->get('group_id', false);
// correct. If not, treat the param as empty one.
$group_id = $request->request->get('gid', false);
if (!preg_match("/^\d{1,10}$/", $group_id)) {
$group_id = false;
}
$parent_group = $request->request->get('parentgroup'); $parent_group = $request->request->get('parentgroup');
if (!$parent_group || !preg_match("/^\d{1,10}$/", $parent_group)) { if (!$parent_group || !preg_match("/^\d{1,10}$/", $parent_group)) {

11
src/mibew/libs/classes/Mibew/Controller/Operator/GroupsController.php
View File

@ -17,7 +17,6 @@
namespace Mibew\Controller\Operator; namespace Mibew\Controller\Operator;
use Mibew\Http\Exception\BadRequestException;
use Mibew\Http\Exception\NotFoundException; use Mibew\Http\Exception\NotFoundException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -100,8 +99,6 @@ class GroupsController extends AbstractController
* @return string Rendered page content. * @return string Rendered page content.
* @throws NotFoundException If the operator with specified ID is not found * @throws NotFoundException If the operator with specified ID is not found
* in the system. * in the system.
* @throws BadRequestException If the "op" field of the form is in wrong
* format.
*/ */
public function submitFormAction(Request $request) public function submitFormAction(Request $request)
{ {
@ -109,13 +106,7 @@ class GroupsController extends AbstractController
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
$operator_in_isolation = in_isolation($operator); $operator_in_isolation = in_isolation($operator);
$op_id = $request->attributes->getInt('operator_id');
// Use value from the form and not from the path to make sure it is
// correct. If not, throw an exception.
$op_id = $request->request->get('op');
if (!preg_match("/^\d{1,10}$/", $op_id)) {
throw new BadRequestException('Wrong value of "op" form field.');
}
// Check if the target operator exists // Check if the target operator exists
$op = operator_by_id($op_id); $op = operator_by_id($op_id);

11
src/mibew/libs/classes/Mibew/Controller/Operator/PermissionsController.php
View File

@ -17,7 +17,6 @@
namespace Mibew\Controller\Operator; namespace Mibew\Controller\Operator;
use Mibew\Http\Exception\BadRequestException;
use Mibew\Http\Exception\NotFoundException; use Mibew\Http\Exception\NotFoundException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -90,21 +89,13 @@ class PermissionsController extends AbstractController
* @return string Rendered page content. * @return string Rendered page content.
* @throws NotFoundException If the operator with specified ID is not found * @throws NotFoundException If the operator with specified ID is not found
* in the system. * in the system.
* @throws BadRequestException If the "op" field of the form is in wrong
* format.
*/ */
public function submitFormAction(Request $request) public function submitFormAction(Request $request)
{ {
csrf_check_token($request); csrf_check_token($request);
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
$op_id = $request->attributes->getInt('operator_id');
// Use value from the form and not from the path to make sure it is
// correct. If not, throw an exception.
$op_id = $request->request->get('op');
if (!preg_match("/^\d{1,10}$/", $op_id)) {
throw new BadRequestException('Wrong value of "op" form field.');
}
// Check if the target operator exists // Check if the target operator exists
$op = operator_by_id($op_id); $op = operator_by_id($op_id);

4
src/mibew/libs/classes/Mibew/Controller/Operator/ProfileController.php
View File

@ -117,9 +117,7 @@ class ProfileController extends AbstractController
$errors = array(); $errors = array();
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
// Use value from the form and not from the path to make sure it is $op_id = $request->attributes->getInt('operator_id');
// correct. If not, treat the param as empty one.
$op_id = $request->request->getInt('opid', false);
if (is_capable(CAN_ADMINISTRATE, $operator)) { if (is_capable(CAN_ADMINISTRATE, $operator)) {
$login = $request->request->get('login'); $login = $request->request->get('login');

1
src/mibew/styles/pages/default/templates_src/server_side/canned_message_edit.handlebars
View File

@ -22,7 +22,6 @@
<form name="cannedForm" method="post" action="{{formaction}}"> <form name="cannedForm" method="post" action="{{formaction}}">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="key" value="{{key}}"/>
{{#unless key}} {{#unless key}}
<input type="hidden" name="lang" value="{{locale}}"/> <input type="hidden" name="lang" value="{{locale}}"/>

1
src/mibew/styles/pages/default/templates_src/server_side/group_edit.handlebars
View File

@ -24,7 +24,6 @@
<form name="groupForm" method="post" action="{{formaction}}"> <form name="groupForm" method="post" action="{{formaction}}">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="gid" value="{{grid}}"/>
<div> <div>
{{> _tabs}} {{> _tabs}}

1
src/mibew/styles/pages/default/templates_src/server_side/group_members.handlebars
View File

@ -15,7 +15,6 @@
<form name="membersForm" method="post" action="{{mibewRoot}}/operator/group/{{groupid}}/members"> <form name="membersForm" method="post" action="{{mibewRoot}}/operator/group/{{groupid}}/members">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="gid" value="{{groupid}}"/>
<div> <div>
{{> _tabs}} {{> _tabs}}

1
src/mibew/styles/pages/default/templates_src/server_side/operator_avatar.handlebars
View File

@ -11,7 +11,6 @@
<form name="avatarForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/avatar" enctype="multipart/form-data"> <form name="avatarForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/avatar" enctype="multipart/form-data">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="op" value="{{opid}}"/>
<div> <div>
{{> _tabs}} {{> _tabs}}

1
src/mibew/styles/pages/default/templates_src/server_side/operator_edit.handlebars
View File

@ -25,7 +25,6 @@
{{#ifAny opid canmodify}} {{#ifAny opid canmodify}}
<form name="agentForm" method="post" action="{{formaction}}"> <form name="agentForm" method="post" action="{{formaction}}">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="opid" value="{{opid}}"/>
<div> <div>
{{#unless needChangePassword}}{{> _tabs}}{{/unless}} {{#unless needChangePassword}}{{> _tabs}}{{/unless}}

1
src/mibew/styles/pages/default/templates_src/server_side/operator_groups.handlebars
View File

@ -15,7 +15,6 @@
<form name="opgroupsForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/groups"> <form name="opgroupsForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/groups">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="op" value="{{opid}}"/>
<div> <div>
{{> _tabs}} {{> _tabs}}

1
src/mibew/styles/pages/default/templates_src/server_side/operator_permissions.handlebars
View File

@ -15,7 +15,6 @@
<form name="permissionsForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/permissions"> <form name="permissionsForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/permissions">
{{csrfTokenInput}} {{csrfTokenInput}}
<input type="hidden" name="op" value="{{opid}}"/>
<div> <div>
{{> _tabs}} {{> _tabs}}