Skip to content

Commit

Permalink
Security Fix #61 #62 #63 #65 #66 #67
Browse files Browse the repository at this point in the history
  • Loading branch information
Puguh Wijayanto committed Jan 15, 2017
1 parent 72a2476 commit abfbb61
Show file tree
Hide file tree
Showing 58 changed files with 710 additions and 498 deletions.
2 changes: 1 addition & 1 deletion gxadmin/inc/menus_form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@


if (isset($_GET['id'])) {
$menuid = $_GET['id'];
$menuid = Typo::cleanX($_GET['id']);
} else {
$menuid = $data['menuid'];
}
Expand Down
4 changes: 2 additions & 2 deletions gxadmin/inc/menus_form_edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@
* @license http://www.opensource.org/licenses/mit-license.php MIT
*/
if (isset($_GET['id'])) {
$menuid = $_GET['id'];
$menuid = Typo::int($_GET['id']);
} else {
$menuid = $data['menuid'];
}

// print_r($data['menus']);

if (isset($_GET['token'])
&& Token::isExist($_GET['token'])) {
&& Token::isExist(Typo::cleanX($_GET['token']))) {
$token = TOKEN;
} else {
$token = '';
Expand Down
9 changes: 5 additions & 4 deletions gxadmin/inc/pages_form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
$token = '';
}
($_GET['act'] == 'edit') ? $pagetitle = 'Edit' : $pagetitle = 'New';
($_GET['act'] == 'edit') ? $act = "edit&id={$_GET['id']}&token=".$token : $act = 'add';
($_GET['act'] == 'edit') ? $act = "edit&id=".Typo::int($_GET['id'])."&token=".$token : $act = 'add';

if (isset($data['post'])) {
if (!isset($data['post']['error'])) {
Expand All @@ -42,6 +42,7 @@
$pub = '';
$unpub = 'SELECTED';
}
$id = Typo::int($_GET['id']);
} else {
$title = '';
$content = '';
Expand All @@ -65,7 +66,7 @@
}

?>
<form action="index.php?page=pages&act=<?=$act?>&token=<?=$_GET['token'];?>" method="post" role="form" class="">
<form action="index.php?page=pages&act=<?=$act?>" method="post" role="form" class="">
<div class="row">
<div class="col-md-12">
<?=Hooks::run('admin_page_notif_action', $data);?>
Expand Down Expand Up @@ -130,8 +131,8 @@
unset($listlang[Options::v('multilang_default')]);
foreach ($listlang as $key => $value) {
if (isset($_GET['act']) && $_GET['act'] == 'edit') {
$lang = Language::getLangParam($key, $_GET['id']);
if ($lang == '') {
$lang = Language::getLangParam($key, $id);
if ($lang == '' || !Posts::existParam('multilang', $id)) {
$lang['title'] = $title;
$lang['content'] = $content;
} else {
Expand Down
24 changes: 12 additions & 12 deletions gxadmin/inc/posts_form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@
* @license http://www.opensource.org/licenses/mit-license.php MIT
*/
if (isset($_GET['token'])
&& Token::isExist($_GET['token'])) {
&& Token::isExist(Typo::cleanX($_GET['token']))) {
$token = TOKEN;
} else {
$token = '';
}
($_GET['act'] == 'edit') ? $pagetitle = 'Edit' : $pagetitle = 'New';
($_GET['act'] == 'edit') ? $act = "edit&id={$_GET['id']}&token=".$token : $act = 'add';
($_GET['act'] == 'edit') ? $act = "edit&id=".Typo::int($_GET['id'])."&token=".$token : $act = 'add';

if (isset($data['post'])) {
foreach ($data['post'] as $p) {
Expand All @@ -32,15 +32,18 @@
$date = $p->date;
$status = $p->status;
$cat = $p->cat;
$tags = $p->tags;

}
$tags = Posts::getParam('tags', $p->id);
// $tags = Posts::getParam('tags', $p->id);
if ($status == 1) {
$pub = 'SELECTED';
$unpub = '';
} elseif ($status == 0) {
$pub = '';
$unpub = 'SELECTED';
}
$id = Typo::int($_GET['id']);
} else {
$title = '';
$content = '';
Expand All @@ -52,7 +55,7 @@
$tags = '';
}
?>
<form action="index.php?page=posts&act=<?=$act?>&token=<?=$_GET['token'];?>" method="post" role="form" class="">
<form action="index.php?page=posts&act=<?=$act?>" method="post" role="form" class="">
<div class="row">
<div class="col-md-12">
<?=Hooks::run('admin_page_notif_action', $data);?>
Expand Down Expand Up @@ -117,9 +120,9 @@
foreach ($listlang as $key => $value) {
// print_r($key);
if (isset($_GET['act']) && $_GET['act'] == 'edit') {
$lang = Language::getLangParam($key, $_GET['id']);
$lang = Language::getLangParam($key, $id);
// print_r($lang);
if ($lang == '' || !Posts::existParam('multilang', $_GET['id'])) {
if ($lang == '' || !Posts::existParam('multilang', $id)) {
$lang['title'] = $title;
$lang['content'] = $content;
} else {
Expand Down Expand Up @@ -227,13 +230,10 @@
<div class="form-group">
<label><?=STATUS;?></label>
<select name="status" class="form-control">
<option value="1" <?=$pub;
?>><?=PUBLISH;?></option>
<option value="0" <?=$unpub;
?>><?=UNPUBLISH;?></option>
<option value="1" <?=$pub;?>><?=PUBLISH;?></option>
<option value="0" <?=$unpub;?>><?=UNPUBLISH;?></option>
</select>
<small><?=PUBLISHED_LOWER;
?> or <?=UNPUBLISHED_LOWER;?></small>
<small><?=PUBLISHED_LOWER;?> or <?=UNPUBLISHED_LOWER;?></small>
</div>

<div class="form-group">
Expand Down
2 changes: 1 addition & 1 deletion gxadmin/inc/user_form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,5 +90,5 @@
</div>
</div>
</div>
<input type="hidden" name="token" value="<?=$_GET['token'];?>">
<input type="hidden" name="token" value="<?=TOKEN?>">
</form>
89 changes: 48 additions & 41 deletions inc/lib/Categories.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,65 +62,69 @@ public static function dropdown($vars)
{
if (is_array($vars)) {
//print_r($vars);
$name = $vars['name'];
$where = 'WHERE ';
$name = Typo::cleanX($vars['name']);
$where = 'WHERE 1 ';
if (isset($vars['parent'])) {
$where .= " `parent` = '".$vars['parent']."' ";
$where .= " AND `parent` = '".Typo::int($vars['parent'])."' ";
} else {
$where .= '';
}
if (isset($vars['type'])) {
if ($vars['type'] == 'tag') {
$where .= " `type` = '{$vars['type']}' AND ";
$type = Typo::cleanX($vars['type']);
if ($type == 'tag') {
$where .= " AND `type` = '".$type."' ";
} else {
$where .= " `type` = '{$vars['type']}' AND `type` != 'tag' AND ";
$where .= " AND `type` = '".$type."' AND `type` != 'tag' ";
}

} else {
$where .= " `type` != 'tag' AND ";
$where .= " AND `type` != 'tag' ";
}
$where .= '1 ';
$where .= ' ';
$order_by = 'ORDER BY ';
if (isset($vars['order_by'])) {
$order_by .= ' '.$vars['order_by'].' ';
$order_by .= ' '.Typo::cleanX($vars['order_by']).' ';
} else {
$order_by .= ' `name` ';
}
if (isset($vars['sort'])) {
$sort = " {$vars['sort']}";
$sort = " ".Typo::cleanX($vars['sort'])." ";
} else {
$sort = ' ASC';
}
}

// $cat = Db::result("SELECT * FROM `cat` {$where} {$order_by} {$sort}");
$cat = Db::result('SELECT * FROM `cat` '.$where.' '.$order_by.' '.$sort);
// print_r($cat);
$drop = "<select name=\"{$name}\" class=\"form-control\"><option></option>";
if (Db::$num_rows > 0) {
foreach ($cat as $c) {
if ($c->parent == null || $c->parent == '0') {
if (isset($vars['selected']) && $c->id == $vars['selected']) {
$sel = 'SELECTED';
} else {
$sel = '';
}
$drop .= "<option value=\"{$c->id}\" $sel style=\"padding-left: 10px;\">{$c->name}</option>";
foreach ($cat as $c2) {
if ($c2->parent == $c->id) {
if (isset($vars['selected']) && $c2->id == $vars['selected']) {
$sel = 'SELECTED';
} else {
$sel = '';
}
$drop .= "<option value=\"{$c2->id}\" $sel style=\"padding-left: 10px;\">
// $cat = Db::result("SELECT * FROM `cat` {$where} {$order_by} {$sort}");
$cat = Db::result('SELECT * FROM `cat` '.$where.' '.$order_by.' '.$sort);
// print_r($cat);
$drop = "<select name=\"{$name}\" class=\"form-control\"><option></option>";
if (Db::$num_rows > 0) {
foreach ($cat as $c) {
if ($c->parent == null || $c->parent == '0') {
if (isset($vars['selected']) && $c->id == $vars['selected']) {
$sel = 'SELECTED';
} else {
$sel = '';
}
$drop .= "<option value=\"{$c->id}\" $sel style=\"padding-left: 10px;\">{$c->name}</option>";
foreach ($cat as $c2) {
if ($c2->parent == $c->id) {
if (isset($vars['selected']) && $c2->id == $vars['selected']) {
$sel = 'SELECTED';
} else {
$sel = '';
}
$drop .= "<option value=\"{$c2->id}\" $sel style=\"padding-left: 10px;\">
&nbsp;&nbsp;&nbsp;{$c2->name}</option>";
}
}
}
}
}
$drop .= '</select>';
} else {
$drop = 'Category config not in Array';
}
$drop .= '</select>';


return $drop;
}
Expand All @@ -130,22 +134,25 @@ public static function lists($vars)
if (is_array($vars)) {
//print_r($vars);

$where = 'WHERE ';
$where = 'WHERE 1';
if (isset($vars['parent'])) {
$where .= " `parent` = '{$vars['parent']}' AND ";
$where .= " AND `parent` = '".Typo::int($vars['parent'])."' ";
} else {
$where .= '';
}
if (isset($vars['type'])) {
if ($vars['type'] == 'tag') {
$where .= " `type` = '{$vars['type']}' AND ";
$type = Typo::cleanX($vars['type']);
if ($type == 'tag') {
$where .= " AND `type` = '".$type."' ";
} else {
$where .= " `type` = '{$vars['type']}' AND `type` != 'tag' AND ";
$where .= " AND `type` = '".$type."' AND `type` != 'tag' ";
}

} else {
$where .= " `type` != 'tag' AND ";
$where .= " AND `type` != 'tag' ";
}
$where .= '1 ';
$order_by = 'ORDER BY ';

$order_by = ' ORDER BY ';
if (isset($vars['order_by'])) {
$order_by .= " {$vars['order_by']} ";
} else {
Expand Down
25 changes: 16 additions & 9 deletions inc/lib/Comments.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,14 @@ public function __construct()
public static function form()
{
if (self::isEnable()) {
Hooks::attach('footer_load_lib', array(__CLASS__, 'validateJsComment'));
Hooks::attach('footer_load_lib', array('Comments', 'validateJsComment'));
Theme::validator();
Theme::editor('mini', '200');

$html = '<a id="commentform"></a><div class="col-md-12 comments-wrapper clearfix">';
if (isset($_POST['addComment'])) {
$data = self::addComment($_POST);
$html .= System::alert();
$html .= System::alert($data);
}

$html .= '
Expand Down Expand Up @@ -95,7 +95,8 @@ public static function addComment($vars)
global $data;

unset($vars['addComment']);
if (!isset($vars['token']) || !Token::isExist($vars['token'])) {
$token = Typo::cleanX($vars['token']);
if (!isset($vars['token']) || !Token::isExist($token)) {
$alertDanger[] = TOKEN_NOT_EXIST;
}
if (!isset($vars['comments-msg']) || null == $vars['comments-msg'] || $vars['comments-msg'] == '<p><br></p>') {
Expand Down Expand Up @@ -170,9 +171,9 @@ public static function addComment($vars)
public static function listC($vars)
{
global $data;
$offset = $vars['offset'];
$max = $vars['max'];
$parent = $vars['parent'];
$offset = Typo::int($vars['offset']);
$max = Typo::int($vars['max']);
$parent = Typo::int($vars['parent']);
$post_id = $data['posts'][0]->id;
$where = "AND `post_id` = '{$post_id}' AND `status` = '1' AND `parent` = '{$parent}' ";
$order = ($parent > 0) ? 'ASC' : 'DESC';
Expand Down Expand Up @@ -225,7 +226,7 @@ public static function showList($vars)
if (self::isEnable()) {
global $data;
$html = '';
$max = $vars['max'];
$max = Typo::int($vars['max']);
if (isset($_GET['paging']) && isset($_GET['comments'])) {
$paging = Typo::int($_GET['paging']);
$offset = ($paging - 1) * $max;
Expand All @@ -245,7 +246,7 @@ public static function showList($vars)
'url' => (SMART_URL) ? Url::post($post_id).'?comments=yes' : Url::post($post_id).'&comments=yes',
'type' => 'number',
);
$html .= Paging::create($page);
$html .= "<div class='col-sm-12'>".Paging::create($page)."</div>";
} else {
$html = '';
}
Expand Down Expand Up @@ -321,11 +322,12 @@ function removeCancel() {
</script>
";

return $script;
echo Site::minifyJS($script);
}

public static function publish($id)
{
$id = Typo::int($id);
$var = array(
'table' => 'comments',
'id' => $id,
Expand All @@ -338,6 +340,7 @@ public static function publish($id)

public static function unpublish($id)
{
$id = Typo::int($id);
$var = array(
'table' => 'comments',
'id' => $id,
Expand All @@ -350,6 +353,7 @@ public static function unpublish($id)

public static function pending($id)
{
$id = Typo::int($id);
$var = array(
'table' => 'comments',
'id' => $id,
Expand All @@ -362,6 +366,7 @@ public static function pending($id)

public static function delete($id)
{
$id = Typo::int($id);
$var = array(
'table' => 'comments',
'where' => array(
Expand All @@ -373,6 +378,7 @@ public static function delete($id)

public static function deleteWithPost($post_id)
{
$post_id = Typo::int($post_id);
$var = array(
'table' => 'comments',
'where' => array(
Expand All @@ -384,6 +390,7 @@ public static function deleteWithPost($post_id)

public static function postExist($id)
{
$id = Typo::int($id);
$var = sprintf("SELECT * FROM `comments` WHERE `post_id` = '%d'", $id);
Db::result($var);
if (Db::$num_rows > 0) {
Expand Down
Loading

0 comments on commit abfbb61

Please sign in to comment.