From: Alexander Ebert Date: Wed, 17 Jul 2013 13:50:36 +0000 (+0200) Subject: Improved AJAXInvokeAction to allow whitelisting of accessible methods X-Git-Tag: 2.0.0_Beta_5~37^2~4 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=55ae068aa299cd91425c0e9346c4cfc3ecfc7e32;p=GitHub%2FWoltLab%2FWCF.git Improved AJAXInvokeAction to allow whitelisting of accessible methods --- diff --git a/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php b/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php index cd43203ed9..5061a5fcbf 100644 --- a/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php +++ b/wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php @@ -36,6 +36,8 @@ class WorkerProxyAction extends AJAXInvokeAction { */ protected $worker = null; + public static $allowInvoke = array(); + /** * @see wcf\action\IAction::readParameters() */ diff --git a/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php b/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php index d5b338b95f..0daddf1f76 100644 --- a/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php +++ b/wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php @@ -118,13 +118,25 @@ class AJAXInvokeAction extends AbstractSecureAction { throw new SystemException("'".$this->className."' does not extend 'wcf\system\SingletonFactory'"); } - $this->actionObject = call_user_func(array($this->className, 'getInstance')); - // validate action name - if (empty($this->actionName) || !method_exists($this->actionObject, $this->actionName)) { + if (empty($this->actionName)) { throw new UserInputException('actionName'); } + // validate accessibility + $className = $this->className; + if (!property_exists($className, 'allowInvoke') || !in_array($this->actionName, $className::$allowInvoke)) { + throw new PermissionDeniedException(); + } + + $this->actionObject = call_user_func(array($this->className, 'getInstance')); + + // check for validate method + $validateMethod = 'validate'.ucfirst($this->actionName); + if (method_exists($this->actionObject, $this->actionName)) { + $this->actionObject->{$validateMethod}(); + } + $this->response = $this->actionObject->{$this->actionName}(); } diff --git a/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php b/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php index fe4ee88e17..02c4065ef7 100644 --- a/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php +++ b/wcfsetup/install/files/lib/system/importer/ImportHandler.class.php @@ -2,6 +2,7 @@ namespace wcf\system\importer; use wcf\data\object\type\ObjectTypeCache; use wcf\system\exception\SystemException; +use wcf\system\IAJAXInvokeAction; use wcf\system\SingletonFactory; use wcf\system\WCF; @@ -15,7 +16,7 @@ use wcf\system\WCF; * @subpackage system.importer * @category Community Framework */ -class ImportHandler extends SingletonFactory { +class ImportHandler extends SingletonFactory implements IAJAXInvokeAction { /** * id map cache * @var array @@ -40,6 +41,12 @@ class ImportHandler extends SingletonFactory { */ protected $userMergeMode = 2; + /** + * list of methods allowed for remote invoke + * @var array + */ + public static $allowInvoke = array('resetMapping'); + /** * @see wcf\system\SingletonFactory::init() */ @@ -110,6 +117,13 @@ class ImportHandler extends SingletonFactory { unset($this->idMappingCache[$objectTypeID][$oldID]); } + /** + * Validates accessibility of resetMapping(). + */ + public function validateResetMapping() { + WCF::getSession()->checkPermissions(array('admin.system.canImportData')); + } + /** * Resets the mapping. */ diff --git a/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php b/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php index 7367f42cba..10972761f2 100644 --- a/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php +++ b/wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php @@ -16,6 +16,12 @@ use wcf\util\StringUtil; * @category Community Framework */ class UserCollapsibleSidebarHandler extends SingletonFactory implements IAJAXInvokeAction { + /** + * list of methods allowed for remote invoke + * @var array + */ + public static $allowInvoke = array('toggle'); + /** * Toggles a sidebar. */