From: Alexander Ebert <ebert@woltlab.com>
Date: Wed, 17 Jul 2013 13:50:36 +0000 (+0200)
Subject: Improved AJAXInvokeAction to allow whitelisting of accessible methods
X-Git-Tag: 2.0.0_Beta_5~37^2~4
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=55ae068aa299cd91425c0e9346c4cfc3ecfc7e32;p=GitHub%2FWoltLab%2FWCF.git

Improved AJAXInvokeAction to allow whitelisting of accessible methods
---

diff --git a/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php b/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php
index cd43203ed9..5061a5fcbf 100644
--- a/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php
+++ b/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php
@@ -36,6 +36,8 @@ class WorkerProxyAction extends AJAXInvokeAction {
 	 */
 	protected $worker = null;
 	
+	public static $allowInvoke = array();
+	
 	/**
 	 * @see	wcf\action\IAction::readParameters()
 	 */
diff --git a/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php b/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php
index d5b338b95f..0daddf1f76 100644
--- a/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php
+++ b/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php
@@ -118,13 +118,25 @@ class AJAXInvokeAction extends AbstractSecureAction {
 			throw new SystemException("'".$this->className."' does not extend 'wcf\system\SingletonFactory'");
 		}
 		
-		$this->actionObject = call_user_func(array($this->className, 'getInstance'));
-		
 		// validate action name
-		if (empty($this->actionName) || !method_exists($this->actionObject, $this->actionName)) {
+		if (empty($this->actionName)) {
 			throw new UserInputException('actionName');
 		}
 		
+		// validate accessibility
+		$className = $this->className;
+		if (!property_exists($className, 'allowInvoke') || !in_array($this->actionName, $className::$allowInvoke)) {
+			throw new PermissionDeniedException();
+		}
+		
+		$this->actionObject = call_user_func(array($this->className, 'getInstance'));
+		
+		// check for validate method
+		$validateMethod = 'validate'.ucfirst($this->actionName);
+		if (method_exists($this->actionObject, $this->actionName)) {
+			$this->actionObject->{$validateMethod}();
+		}
+		
 		$this->response = $this->actionObject->{$this->actionName}();
 	}
 	
diff --git a/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php b/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php
index fe4ee88e17..02c4065ef7 100644
--- a/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php
+++ b/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php
@@ -2,6 +2,7 @@
 namespace wcf\system\importer;
 use wcf\data\object\type\ObjectTypeCache;
 use wcf\system\exception\SystemException;
+use wcf\system\IAJAXInvokeAction;
 use wcf\system\SingletonFactory;
 use wcf\system\WCF;
 
@@ -15,7 +16,7 @@ use wcf\system\WCF;
  * @subpackage	system.importer
  * @category	Community Framework
  */
-class ImportHandler extends SingletonFactory {
+class ImportHandler extends SingletonFactory implements IAJAXInvokeAction {
 	/**
 	 * id map cache
 	 * @var	array 
@@ -40,6 +41,12 @@ class ImportHandler extends SingletonFactory {
 	 */
 	protected $userMergeMode = 2;
 	
+	/**
+	 * list of methods allowed for remote invoke
+	 * @var	array<string>
+	 */
+	public static $allowInvoke = array('resetMapping');
+	
 	/**
 	 * @see wcf\system\SingletonFactory::init()
 	 */
@@ -110,6 +117,13 @@ class ImportHandler extends SingletonFactory {
 		unset($this->idMappingCache[$objectTypeID][$oldID]);
 	}
 	
+	/**
+	 * Validates accessibility of resetMapping().
+	 */
+	public function validateResetMapping() {
+		WCF::getSession()->checkPermissions(array('admin.system.canImportData'));
+	}
+	
 	/**
 	 * Resets the mapping.
 	 */
diff --git a/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php b/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php
index 7367f42cba..10972761f2 100644
--- a/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php
+++ b/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php
@@ -16,6 +16,12 @@ use wcf\util\StringUtil;
  * @category	Community Framework
  */
 class UserCollapsibleSidebarHandler extends SingletonFactory implements IAJAXInvokeAction {
+	/**
+	 * list of methods allowed for remote invoke
+	 * @var	array<string>
+	 */
+	public static $allowInvoke = array('toggle');
+	
 	/**
 	 * Toggles a sidebar.
 	 */