forked from ZwiiCMS-Team/ZwiiCMS
Faille CSRF
This commit is contained in:
parent
7e2a9168e3
commit
4b77990cf7
@ -1,5 +1,12 @@
|
||||
# ChangeLog
|
||||
|
||||
## Version 8.5.5
|
||||
* Correction :
|
||||
- Faille CSRF lors de l'effacement d'un membre
|
||||
- Faille CSRF lors de l'effacement d'une galerie
|
||||
- Faille CSRF lors de l'effacement d'un article de blog
|
||||
- Faille CSRF lors de l'effacement d'un article de news
|
||||
|
||||
## Version 8.5.4
|
||||
* Correction :
|
||||
- Faille CSRF lors de l'effacement d'une page
|
||||
|
@ -88,10 +88,11 @@ class user extends common {
|
||||
* Suppression
|
||||
*/
|
||||
public function delete() {
|
||||
$url = explode('&',$this->getUrl(2));
|
||||
// Accès refusé
|
||||
if(
|
||||
// L'utilisateur n'existe pas
|
||||
$this->getData(['user', $this->getUrl(2)]) === null
|
||||
$this->getData(['user', $url[0]]) === null
|
||||
// Groupe insuffisant
|
||||
AND ($this->getUrl('group') < self::GROUP_MODERATOR)
|
||||
) {
|
||||
@ -100,8 +101,23 @@ class user extends common {
|
||||
'access' => false
|
||||
]);
|
||||
}
|
||||
// Jeton incorrect
|
||||
elseif(!isset($_GET['csrf'])) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . 'user',
|
||||
'notification' => 'Jeton invalide'
|
||||
]);
|
||||
}
|
||||
elseif ($_GET['csrf'] !== $_SESSION['csrf']) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . 'user',
|
||||
'notification' => 'Suppression non autorisée'
|
||||
]);
|
||||
}
|
||||
// Bloque la suppression de son propre compte
|
||||
elseif($this->getUser('id') === $this->getUrl(2)) {
|
||||
elseif($this->getUser('id') === $url[0]) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . 'user',
|
||||
@ -110,7 +126,7 @@ class user extends common {
|
||||
}
|
||||
// Suppression
|
||||
else {
|
||||
$this->deleteData(['user', $this->getUrl(2)]);
|
||||
$this->deleteData(['user', $url[0]]);
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . 'user',
|
||||
@ -280,7 +296,7 @@ class user extends common {
|
||||
]),
|
||||
template::button('userDelete' . $userId, [
|
||||
'class' => 'userDelete buttonRed',
|
||||
'href' => helper::baseUrl() . 'user/delete/' . $userId,
|
||||
'href' => helper::baseUrl() . 'user/delete/' . $userId. '&csrf=' . $_SESSION['csrf'],
|
||||
'value' => template::ico('cancel')
|
||||
])
|
||||
];
|
||||
|
@ -174,7 +174,7 @@ class blog extends common {
|
||||
]),
|
||||
template::button('blogConfigDelete' . $articleIds[$i], [
|
||||
'class' => 'blogConfigDelete buttonRed',
|
||||
'href' => helper::baseUrl() . $this->getUrl(0) . '/delete/' . $articleIds[$i],
|
||||
'href' => helper::baseUrl() . $this->getUrl(0) . '/delete/' . $articleIds[$i]. '&csrf=' . $_SESSION['csrf'],
|
||||
'value' => template::ico('cancel')
|
||||
])
|
||||
];
|
||||
@ -190,16 +190,33 @@ class blog extends common {
|
||||
* Suppression
|
||||
*/
|
||||
public function delete() {
|
||||
// $url prend l'adresse sans le token
|
||||
$url = explode('&',$this->getUrl(2));
|
||||
// L'article n'existe pas
|
||||
if($this->getData(['module', $this->getUrl(0), $this->getUrl(2)]) === null) {
|
||||
if($this->getData(['module', $this->getUrl(0), $url[0]]) === null) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'access' => false
|
||||
]);
|
||||
}
|
||||
// Jeton incorrect
|
||||
elseif(!isset($_GET['csrf'])) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl(). $this->getUrl(0) . '/config',
|
||||
'notification' => 'Jeton invalide'
|
||||
]);
|
||||
}
|
||||
elseif ($_GET['csrf'] !== $_SESSION['csrf']) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . $this->getUrl(0) . '/config',
|
||||
'notification' => 'Suppression non autorisée'
|
||||
]);
|
||||
}
|
||||
// Suppression
|
||||
else {
|
||||
$this->deleteData(['module', $this->getUrl(0), $this->getUrl(2)]);
|
||||
$this->deleteData(['module', $this->getUrl(0), $url[0]]);
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . $this->getUrl(0) . '/config',
|
||||
|
@ -59,7 +59,7 @@ class gallery extends common {
|
||||
]),
|
||||
template::button('galleryConfigDelete' . $galleryId, [
|
||||
'class' => 'galleryConfigDelete buttonRed',
|
||||
'href' => helper::baseUrl() . $this->getUrl(0) . '/delete/' . $galleryId,
|
||||
'href' => helper::baseUrl() . $this->getUrl(0) . '/delete/' . $galleryId. '&csrf=' . $_SESSION['csrf'],
|
||||
'value' => template::ico('cancel')
|
||||
])
|
||||
];
|
||||
@ -93,16 +93,33 @@ class gallery extends common {
|
||||
* Suppression
|
||||
*/
|
||||
public function delete() {
|
||||
// $url prend l'adresse sans le token
|
||||
$url = explode('&',$this->getUrl(2));
|
||||
// La galerie n'existe pas
|
||||
if($this->getData(['module', $this->getUrl(0), $this->getUrl(2)]) === null) {
|
||||
if($this->getData(['module', $this->getUrl(0), $url[0]]) === null) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'access' => false
|
||||
]);
|
||||
}
|
||||
// Jeton incorrect
|
||||
elseif(!isset($_GET['csrf'])) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . 'config',
|
||||
'notification' => 'Jeton invalide'
|
||||
]);
|
||||
}
|
||||
elseif ($_GET['csrf'] !== $_SESSION['csrf']) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . 'config',
|
||||
'notification' => 'Suppression non autorisée'
|
||||
]);
|
||||
}
|
||||
// Suppression
|
||||
else {
|
||||
$this->deleteData(['module', $this->getUrl(0), $this->getUrl(2)]);
|
||||
$this->deleteData(['module', $this->getUrl(0), $url[0]]);
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . $this->getUrl(0) . '/config',
|
||||
|
@ -100,7 +100,7 @@ class news extends common {
|
||||
]),
|
||||
template::button('newsConfigDelete' . $newsIds[$i], [
|
||||
'class' => 'newsConfigDelete buttonRed',
|
||||
'href' => helper::baseUrl() . $this->getUrl(0) . '/delete/' . $newsIds[$i],
|
||||
'href' => helper::baseUrl() . $this->getUrl(0) . '/delete/' . $newsIds[$i]. '&csrf=' . $_SESSION['csrf'],
|
||||
'value' => template::ico('cancel')
|
||||
])
|
||||
];
|
||||
@ -116,16 +116,33 @@ class news extends common {
|
||||
* Suppression
|
||||
*/
|
||||
public function delete() {
|
||||
// $url prend l'adresse sans le token
|
||||
$url = explode('&',$this->getUrl(2));
|
||||
// La news n'existe pas
|
||||
if($this->getData(['module', $this->getUrl(0), $this->getUrl(2)]) === null) {
|
||||
if($this->getData(['module', $this->getUrl(0), $url[0]]) === null) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'access' => false
|
||||
]);
|
||||
}
|
||||
// Jeton incorrect
|
||||
elseif(!isset($_GET['csrf'])) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl(). $this->getUrl(0) . '/config',
|
||||
'notification' => 'Jeton invalide'
|
||||
]);
|
||||
}
|
||||
elseif ($_GET['csrf'] !== $_SESSION['csrf']) {
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . $this->getUrl(0) . '/config',
|
||||
'notification' => 'Suppression non autorisée'
|
||||
]);
|
||||
}
|
||||
// Suppression
|
||||
else {
|
||||
$this->deleteData(['module', $this->getUrl(0), $this->getUrl(2)]);
|
||||
$this->deleteData(['module', $this->getUrl(0), $url[0]]);
|
||||
// Valeurs en sortie
|
||||
$this->addOutput([
|
||||
'redirect' => helper::baseUrl() . $this->getUrl(0) . '/config',
|
||||
|
Loading…
Reference in New Issue
Block a user