Comments (6)
I definitely agree that we need a solution here. I know some developers, who simply drop the include of class.secure.php. That is definitely a security problem. If we give module authors a way to handle their own files, this would be a great improvement.
But we should limit this to the module folder, so module author can't allow any file outside
LEPTON_PATH . '/modules/' . $module_directory . '/' . {FILES DEFINED BY AUTHOR}
We could add a new file files.inc.php that stores the files that should be added for this module in an array. Something like:
$secure_files = array(
'add_xcz.php',
'/modiyxyz/xyz.php'
);
We could search for this array inside the install.php or upgrade.php as this array is only needed on installation.
from blackcatcms.
The solution I created is a bit different. I added a function to Addons-Helper that allows for register files. It can be used by install.php or upgrade.php. Here's the code for News module, for example:
// add files to class_secure
foreach(
array( 'add_group.php', 'add_post.php', 'comment.php', 'delete_comment.php', 'delete_group.php', 'delete_post.php',
'modify_comment.php', 'modify_group.php', 'modify_post.php', 'modify_settings.php', 'move_down.php', 'move_up.php',
'rss.php', 'save_comment.php', 'save_group.php', 'save_post.php', 'save_settings.php', 'submit_comment.php' )
as $file
) {
if ( false === $admin->get_helper('Addons')->sec_register_file( 'news', $file ) )
{
error_log( "Unable to register file -$file-!" );
}
}
Filenames must be relative to the module dir, so giving paths outside module directory is not allowed. The list is stored in a new table called class_secure. Core files have mod_id 0, while all other files have mod_id from addons table. So it's easy to remove all file entries on module uninstall without forcing the module dev to do so.
from blackcatcms.
Open ToDo's:
- Drop id column from table class_secure (I always add an auto_increment column as first thing, but it's not needed here)
- Add some checks to sec_register_file() method:
** Do not allow use outside installer (don't know if this is possible)
** Validate given file path
from blackcatcms.
We should find a method to force the use of class.secure.php somehow. At least by not listing modules that don't in the repository.
from blackcatcms.
Added some more functionality:
- auto-add csrf-magic in backend
- auto-check authentication in backend (checks for configured backend subfolder name in current path)
- auto-set template search path for backend (this is done in initialize.php for the frontend)
IMPORTANT NOTE: Ajax is allowed via POST only and must set _cat_ajax param.
from blackcatcms.
As this was meant as a brainstorming issue and no more suggestions where made, I close this issue now. Just open a new one if you have suggestions on how to extend the class with more features.
from blackcatcms.
Related Issues (20)
- v1.4Beta: Update LoginBox Droplet HOT 1
- Droplet Export - wrong path in ZIP
- Deprecated: Function create_function() is deprecated in \droplets\tool.php on line 205
- Cross Site Script Vulnerability on "Page" in BlackCAT CMS 1.3.6 HOT 2
- Cross Site Script Vulnerability on "Admin-Tools" in BlackCAT CMS 1.3.6 HOT 2
- installation comple but cat_addons error received HOT 2
- Backend -> Addons -> Create new -> template --- missing entry in addons table HOT 1
- Sitemap.xml wird immer neu generiert HOT 1
- Transportprotokoll tls wird bei SMTP mit Swift nicht gesetzt HOT 1
- Login IP mit IPv6 können nicht gespeichert werden
- XSS Vulnerability on Modify Group Page HOT 3
- 🚨 Potential Security Vulnerability - huntr.dev HOT 2
- v1.4: Fehlermeldung beim Hochladen von Dateien HOT 1
- Droplets module needs rewrite
- lib_search needs rewrite
- Passwort wird nicht korrekt gespeichert
- upgrade.php von Modulen wird ggf. nicht vollständig ausgeführt HOT 1
- Password is hashed twice
- query() in lib_doctrine is deprecated
- Unable to login after giving login credentials. HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blackcatcms.