Issue #81, issue #82 and issue #83

pluck-cms · Oct 21, 2019 · 14ee987 · 14ee987
1 parent a4c3759
commit 14ee987
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/admin.php b/admin.php
@@ -54,7 +54,7 @@
 
 	//Define pages.
 	//------------
-	if (isset($_GET['action'])) {
+	if (isset($_GET['action']) && requestedByTheSameDomain() ) {
 		switch ($_GET['action']) {
 			//Page:Start
 			case 'start':
@@ -292,7 +292,14 @@
 	//Module pages.
 	elseif (isset($_GET['module']))
 		require_once ('data/inc/modules_admininclude.php');
+
+	//Request originating not from same server
+	elseif (!requestedByTheSameDomain()) {
+		$titelkop = $lang['start']['title'];
+		include_once ('data/inc/header.php');
+		include_once ('data/inc/start.php');
 
+	}
 	//Unknown pages.
 	else {
 		header('Location: ?action=start');

diff --git a/data/inc/files.php b/data/inc/files.php
@@ -39,7 +39,7 @@
 			$lastfour = substr($filenamestr, -4);
 			$lastfive = substr($filenamestr, -5);
 			$blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml','.phtm','.pht','.ph3','.ph4','.ph5','.asp','.cgi');
-			if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions)  or (strpos($filenamestr, '.htaccess') > 0) ){
+			if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions)  || ($filenamestr == '.htaccess') ){
 				if (!rename('files/'.latinOnlyInput($_FILES['filefile']['name']), 'files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt')){
 					show_error($lang['general']['upload_failed'], 1);
 				}

diff --git a/data/inc/functions.admin.php b/data/inc/functions.admin.php
@@ -641,4 +641,18 @@ function check_update_version($version) {
 	return 'error';
 
 }
-?>
+
+/**
+ * Checking if the request originates from the originating server
+ *
+ * @since 4.7.10
+ * @package admin
+ * @return boolean true / false
+ */
+
+function requestedByTheSameDomain() {
+    $myDomain       = $_SERVER['SCRIPT_URI'];
+    $requestsSource = $_SERVER['HTTP_REFERER'];
+
+    return parse_url($myDomain, PHP_URL_HOST) === parse_url($requestsSource, PHP_URL_HOST);
+}