mirror of
https://github.com/Pathduck/gallery3.git
synced 2026-04-20 04:29:40 -04:00
Controller auth / CSRF fixes
This commit is contained in:
Andy Staudacher
@@ -26,7 +26,7 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
public function find_missing_auth_test() {
|
||||
$found = array();
|
||||
foreach (glob("*/*/controllers/*.php") as $controller) {
|
||||
if (strpos($controller, "modules/unit_test/") !== false) {
|
||||
if (preg_match("{modules/(gallery_)?unit_test/}", $controller)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -54,11 +54,11 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
$open_braces--;
|
||||
if ($open_braces == 1 && $function) {
|
||||
$found[$controller][] = $function;
|
||||
$function = null;
|
||||
} else if ($open_braces == 0) {
|
||||
$is_admin_controller = false;
|
||||
$is_rest_controller = false;
|
||||
}
|
||||
$function = null;
|
||||
} else if ($token == "{") {
|
||||
$open_braces++;
|
||||
}
|
||||
@@ -80,6 +80,7 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
$previous_2 = $tokens[$token_number - 2][0];
|
||||
$is_private = in_array($previous, array(T_PRIVATE, T_PROTECTED)) ||
|
||||
in_array($previous_2, array(T_PRIVATE, T_PROTECTED));
|
||||
$is_static = $previous == T_STATIC || $previous_2 == T_STATIC;
|
||||
|
||||
// Search forward to get function name
|
||||
do {
|
||||
@@ -91,7 +92,9 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
}
|
||||
} while ($token_number < count($tokens));
|
||||
|
||||
if (!$is_private || ($is_rest_controller && in_array($name, self::$rest_methods))) {
|
||||
if (!$is_static &&
|
||||
(!$is_private ||
|
||||
($is_rest_controller && in_array($name, self::$rest_methods)))) {
|
||||
$function = self::_function($name, $line, $is_admin_controller);
|
||||
if ($is_rest_controller && in_array($name, self::$rest_methods_with_csrf_check)) {
|
||||
$function->checks_csrf(true);
|
||||
@@ -110,7 +113,8 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
if ($token[0] == T_STRING) {
|
||||
if ($token[1] == "access" &&
|
||||
self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
|
||||
self::_token_matches(array(T_STRING, "required"), $tokens, $token_number + 2) &&
|
||||
self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
|
||||
in_array($tokens[$token_number + 2][1], array("forbidden", "required")) &&
|
||||
self::_token_matches("(", $tokens, $token_number + 3)) {
|
||||
$token_number += 3;
|
||||
$function->checks_authorization(true);
|
||||
@@ -125,7 +129,7 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
$token_number++;
|
||||
$function->uses_input(true);
|
||||
}
|
||||
} else if ($token == T_VARIABLE) {
|
||||
} else if ($token[0] == T_VARIABLE) {
|
||||
if ($token[1] == '$this' &&
|
||||
self::_token_matches(array(T_OBJECT_OPERATOR), $tokens, $token_number + 1) &&
|
||||
self::_token_matches(array(T_STRING, "input"), $tokens, $token_number + 2)) {
|
||||
@@ -152,7 +156,6 @@ class Controller_Auth_Test extends Unit_Test_Case {
|
||||
$is_admin_controller = true;
|
||||
foreach ($functions as $function) {
|
||||
$is_admin_controller &= $function->is_admin_controller;
|
||||
|
||||
$flags = array();
|
||||
if ($function->uses_input() && !$function->checks_csrf()) {
|
||||
$flags[] = "DIRTY_CSRF";
|
||||
@@ -224,14 +227,14 @@ class Controller_Auth_Test_Function {
|
||||
|
||||
function uses_input($val=null) {
|
||||
if ($val !== null) {
|
||||
$this->_uses_input = $val;
|
||||
$this->_uses_input = (bool) $val;
|
||||
}
|
||||
return $this->_uses_input;
|
||||
}
|
||||
|
||||
function checks_authorization($val=null) {
|
||||
if ($val !== null) {
|
||||
$this->_checks_authorization = $val;
|
||||
$this->_checks_authorization = (bool) $val;
|
||||
}
|
||||
return $this->_checks_authorization;
|
||||
}
|
||||
|
||||
@@ -1,8 +1,17 @@
|
||||
modules/comment/controllers/admin_comments.php queue DIRTY_CSRF
|
||||
modules/comment/controllers/comments.php _index DIRTY_CSRF
|
||||
modules/digibug/controllers/digibug.php print_proxy DIRTY_CSRF|DIRTY_AUTH
|
||||
modules/digibug/controllers/digibug.php close_window DIRTY_AUTH
|
||||
modules/gallery/controllers/admin.php __call DIRTY_AUTH
|
||||
modules/gallery/controllers/albums.php _show DIRTY_CSRF
|
||||
modules/gallery/controllers/albums.php _form_add DIRTY_CSRF
|
||||
modules/gallery/controllers/combined.php javascript DIRTY_AUTH
|
||||
modules/gallery/controllers/combined.php css DIRTY_AUTH
|
||||
modules/gallery/controllers/file_proxy.php __call DIRTY_CSRF|DIRTY_AUTH
|
||||
modules/gallery/controllers/maintenance.php index DIRTY_AUTH
|
||||
modules/gallery/controllers/rest.php __construct DIRTY_AUTH
|
||||
modules/gallery/controllers/rest.php __call DIRTY_AUTH
|
||||
modules/gallery/controllers/rest.php form_edit DIRTY_AUTH
|
||||
modules/gallery/controllers/rest.php form_add DIRTY_AUTH
|
||||
modules/gallery/controllers/rest.php _index DIRTY_AUTH
|
||||
modules/gallery/controllers/rest.php _create DIRTY_AUTH
|
||||
@@ -13,5 +22,18 @@ modules/gallery/controllers/rest.php _form_add
|
||||
modules/gallery/controllers/rest.php _form_edit DIRTY_AUTH
|
||||
modules/gallery/controllers/simple_uploader.php start DIRTY_AUTH
|
||||
modules/gallery/controllers/simple_uploader.php finish DIRTY_AUTH
|
||||
modules/gallery/controllers/upgrader.php index DIRTY_AUTH
|
||||
modules/gallery/controllers/welcome_message.php index DIRTY_AUTH
|
||||
modules/rss/controllers/rss.php feed DIRTY_CSRF|DIRTY_AUTH
|
||||
modules/search/controllers/search.php index DIRTY_CSRF|DIRTY_AUTH
|
||||
modules/server_add/controllers/admin_server_add.php autocomplete DIRTY_CSRF
|
||||
modules/server_add/controllers/server_add.php children DIRTY_CSRF
|
||||
modules/tag/controllers/admin_tags.php index DIRTY_CSRF
|
||||
modules/tag/controllers/tags.php _show DIRTY_CSRF|DIRTY_AUTH
|
||||
modules/user/controllers/login.php ajax DIRTY_AUTH
|
||||
modules/user/controllers/login.php auth_ajax DIRTY_AUTH
|
||||
modules/user/controllers/login.php html DIRTY_AUTH
|
||||
modules/user/controllers/login.php auth_html DIRTY_AUTH
|
||||
modules/user/controllers/logout.php index DIRTY_CSRF|DIRTY_AUTH
|
||||
modules/user/controllers/password.php reset DIRTY_AUTH
|
||||
modules/user/controllers/password.php do_reset DIRTY_CSRF|DIRTY_AUTH
|
||||
|
||||
@@ -45,9 +45,13 @@ class Organize_Controller extends Controller {
|
||||
access::verify_csrf();
|
||||
|
||||
$target_album = ORM::factory("item", $target_album_id);
|
||||
access::required("view", $target_album);
|
||||
access::required("add", $target_album);
|
||||
|
||||
foreach ($this->input->post("source_ids") as $source_id) {
|
||||
$source = ORM::factory("item", $source_id);
|
||||
if (!$source->contains($target_album)) {
|
||||
access::required("edit", $source);
|
||||
item::move($source, $target_album);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -21,13 +21,13 @@ class Rss_Controller extends Controller {
|
||||
public static $page_size = 20;
|
||||
|
||||
public function feed($module_id, $feed_id, $id=null) {
|
||||
$page = $this->input->get("page", 1);
|
||||
$page = (int) $this->input->get("page", 1);
|
||||
if ($page < 1) {
|
||||
url::redirect(url::merge(array("page" => 1)));
|
||||
}
|
||||
|
||||
// Configurable page size between 1 and 100, default 20
|
||||
$page_size = max(1, min(100, $this->input->get("page_size", self::$page_size)));
|
||||
$page_size = max(1, min(100, (int) $this->input->get("page_size", self::$page_size)));
|
||||
|
||||
// Run the appropriate feed callback
|
||||
if (module::is_active($module_id)) {
|
||||
|
||||
@@ -44,7 +44,8 @@ class Tags_Controller extends REST_Controller {
|
||||
|
||||
public function _index() {
|
||||
// Far from perfection, but at least require view permission for the root album
|
||||
access::required("view", 1);
|
||||
$album = ORM::factory("item", 1);
|
||||
access::required("view", $album);
|
||||
print tag::cloud(30);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user