Skip to content

Josef security fixes #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: development
Choose a base branch
from
Open

Josef security fixes #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
41ac1b2
Fix SQL injection vulnerability
x2josef Oct 4, 2018
ee53f4c
So as to not make it possible for arbitrary file download
x2josef Oct 4, 2018
5ecb328
Purify the request URL to prevent Coss-Site Scripting (XSS)
x2josef Oct 4, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions x2engine/protected/components/X2WebApplication.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,24 @@
*/
class X2WebApplication extends CWebApplication {

/**
* Processes the current request.
* It first resolves the request into controller and action,
* and then creates the controller to perform the action.
*/
public function processRequest()
{
if(is_array($this->catchAllRequest) && isset($this->catchAllRequest[0]))
{
$route=$this->catchAllRequest[0];
foreach(array_splice($this->catchAllRequest,1) as $name=>$value)
$_GET[$name]=$value;
}
else
$route=$this->getUrlManager()->parseUrl($this->getRequest());
$this->runController(Fields::getPurifier()->purify($route));
}

/**
* Checks whether the named component has been created.
* @param string $id application component ID
Expand Down
4 changes: 3 additions & 1 deletion x2engine/protected/components/sortableWidget/recordViewWidgets/ActionHistoryChartWidget.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,9 @@ public static function getChartData (
//printR (('startdate, enddate = '.$startTimestamp.', '.$endTimestamp), true);

$associationType = strtolower ($associationType);

if (is_bool($showRelationships) !== true || !is_numeric($associationId)) {
throw new CHttpException(403, Yii::t('admin', 'Incorrect parameters.'));
}
$associationCondition = self::getAssociationCond (
$associationId, $associationType, $showRelationships);

Expand Down
6 changes: 5 additions & 1 deletion x2engine/protected/controllers/AdminController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5501,7 +5501,11 @@ public function actionFinishGlobalExport() {
* @param string $file Filepath of the requested file
*/
public function actionDownloadData($file) {
$this->sendFile($file);
if (Yii::app()->params->isAdmin) {
$this->sendFile($file);
} else {
throw new CHttpException(403, Yii::t('admin', 'Insufficient permissions.'));
}
}

/**
Expand Down
10 changes: 5 additions & 5 deletions x2engine/protected/controllers/ProfileController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,11 +348,11 @@ public function actionAjaxExportTheme($themeId) {
$file = $themeName.'.json';
$filePath = $this->safePath($file);
file_put_contents($filePath, $encodedTheme);
echo CJSON::encode(array(
'downloadUrl' => $this->createUrl('/admin/downloadData', array(
'file' => $file
))
));
if (Yii::app()->params->isAdmin) {
$this->sendFile($file);
} else {
throw new CHttpException(403, Yii::t('admin', 'Insufficient permissions.'));
}
} else {
throw new CHttpException(
404, Yii::t('app', 'Theme does not exist or you do not have permissions to view it.'));
Expand Down