Revision 1406
Added by FrankH almost 15 years ago
- Security fix to stop users from changing module contents without permission, thanks to Michael Schwarz
| branches/2.8.x/CHANGELOG | ||
|---|---|---|
| 11 | 11 |
! = Update/Change |
| 12 | 12 |
|
| 13 | 13 |
------------------------------------- 2.8.2 ------------------------------------- |
| 14 |
22 Jan-2011 Build 1406 Frank Heyne (FrankH) |
|
| 15 |
# Security fix to stop users from changing module contents without permission, thanks to Michael Schwarz |
|
| 14 | 16 |
22 Jan-2011 Build 1405 Frank Heyne (FrankH) |
| 15 | 17 |
# Security fix (XSS) in form module, thanks to Michael Schwarz |
| 16 | 18 |
22 Jan-2011 Build 1404 Dietmar Woellbrink (Luisehahne) |
| branches/2.8.x/wb/admin/pages/add.php | ||
|---|---|---|
| 49 | 49 |
$admin_groups[] = 1; |
| 50 | 50 |
$viewing_groups[] = 1; |
| 51 | 51 |
|
| 52 |
// check parent page permissions: |
|
| 52 | 53 |
if ($parent!=0) {
|
| 53 | 54 |
if (!$admin->get_page_permission($parent,'admin')) |
| 54 | 55 |
{
|
| ... | ... | |
| 60 | 61 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
| 61 | 62 |
} |
| 62 | 63 |
|
| 64 |
// check module permissions: |
|
| 65 |
if (!$admin->get_permission($module, 'module')) |
|
| 66 |
{
|
|
| 67 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
|
| 68 |
} |
|
| 69 |
|
|
| 63 | 70 |
// Validate data |
| 64 | 71 |
if($title == '' || substr($title,0,1)=='.') |
| 65 | 72 |
{
|
| ... | ... | |
| 75 | 82 |
if (in_array($adm_group, $admin->get_groups_id())) |
| 76 | 83 |
{
|
| 77 | 84 |
$admin_perm_ok = true; |
| 78 |
} |
|
| 85 |
}
|
|
| 79 | 86 |
} |
| 80 | 87 |
if ($admin_perm_ok == false) |
| 81 | 88 |
{
|
| branches/2.8.x/wb/admin/interface/version.php | ||
|---|---|---|
| 52 | 52 |
|
| 53 | 53 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
| 54 | 54 |
if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1405');
|
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1406');
|
|
| 56 | 56 |
|
| 57 | 57 |
?> |
| branches/2.8.x/wb/modules/admin.php | ||
|---|---|---|
| 70 | 70 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
| 71 | 71 |
} |
| 72 | 72 |
|
| 73 |
// some additional security checks: |
|
| 74 |
// Check whether the section_id belongs to the page_id at all |
|
| 75 |
if ($section_id != 0) {
|
|
| 76 |
$sql = "SELECT module FROM `".TABLE_PREFIX."sections` WHERE `page_id` = '$page_id' AND `section_id` = '$section_id'"; |
|
| 77 |
$res_sec = $database->query($sql); |
|
| 78 |
if ($database->is_error()) |
|
| 79 |
{
|
|
| 80 |
$admin->print_error($database->get_error()); |
|
| 81 |
} |
|
| 82 |
if ($res_sec->numRows() == 0) |
|
| 83 |
{
|
|
| 84 |
$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']); |
|
| 85 |
} |
|
| 86 |
|
|
| 87 |
// check module permissions: |
|
| 88 |
$sec = $res_sec->fetchRow(); |
|
| 89 |
if (!$admin->get_permission($sec['module'], 'module')) |
|
| 90 |
{
|
|
| 91 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
|
| 92 |
} |
|
| 93 |
} |
|
| 94 |
|
|
| 73 | 95 |
// Workout if the developer wants to show the info banner |
| 74 | 96 |
if(isset($print_info_banner) && $print_info_banner == true) {
|
| 75 | 97 |
|
Also available in: Unified diff