secure scripts which should not be called directly (install/update stuff); avoid url-manipulation

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
2014-12-27 15:13:25 +01:00
parent 4523ef87b7
commit 4b0507c4d3
4 changed files with 35 additions and 0 deletions
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -15,6 +15,15 @@
 *
 */
 if (!defined('AREA')
 		|| (defined('AREA') && AREA != 'admin')
 		|| !isset($userinfo['loginname'])
 		|| (isset($userinfo['loginname']) && $userinfo['loginname'] == '')
 ) {
 	header('Location: ../../../../index.php');
 	exit;
 }
 if (isFroxlorVersion('0.9-r0')) {
 	showUpdateStep("Updating from 0.9-r0 to 0.9-r1", false);
--- a/install/updates/froxlor/upgrade_syscp.inc.php
+++ b/install/updates/froxlor/upgrade_syscp.inc.php
@@ -15,6 +15,15 @@
 *
 */
 if (!defined('AREA')
 		|| (defined('AREA') && AREA != 'admin')
 		|| !isset($userinfo['loginname'])
 		|| (isset($userinfo['loginname']) && $userinfo['loginname'] == '')
 ) {
 	header('Location: ../../../index.php');
 	exit;
 }
 $updateto = '0.9-r0';
 $frontend = 'froxlor';
--- a/install/updatesql.php
+++ b/install/updatesql.php
@@ -17,6 +17,15 @@
 *
 */
 if (!defined('AREA')
 	|| (defined('AREA') && AREA != 'admin')
 	|| !isset($userinfo['loginname'])
 	|| (isset($userinfo['loginname']) && $userinfo['loginname'] == '')
 ) {
 	header('Location: ../index.php');
 	exit;
 }
 $updatelog = FroxlorLogger::getInstanceOf(array('loginname' => 'updater'));
 $updatelogfile = validateUpdateLogFile(makeCorrectFile(dirname(__FILE__).'/update.log'));
--- a/lib/functions/output/function.buildNavigation.php
+++ b/lib/functions/output/function.buildNavigation.php
@@ -31,6 +31,14 @@ function buildNavigation($navigation, $userinfo) {
 	$returnvalue = '';
 	// sanitize user-given input (url-manipulation)
 	if (isset($_GET['page']) && is_array($_GET['page'])) {
 		$_GET['page'] = (string)$_GET['page'][0];
 	}
 	if (isset($_GET['action']) && is_array($_GET['action'])) {
 		$_GET['action'] = (string)$_GET['action'][0];
 	}
 	foreach($navigation as $box) {
 		if ((!isset($box['show_element']) || $box['show_element'] === true) &&
 			(!isset($box['required_resources']) || $box['required_resources'] == '' || (isset($userinfo[$box['required_resources']]) && ((int)$userinfo[$box['required_resources']] > 0 || $userinfo[$box['required_resources']] == '-1')))) {