Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-10-27 08:16:41 +01:00
Code Issues Packages Projects Releases Activity

Fixed a glitch which allows user to delete entire pages directory, Admin 1.10 edition [#1941]

Browse Source
This commit is contained in:
Matias Griese
2020-08-28 13:38:58 +03:00
parent 40a611da7a
commit 6bcc5f7636
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
classes/plugin/AdminController.php
View File

@@ -1251,6 +1251,11 @@ class AdminController extends AdminBaseController
$data = (array)$this->data; $data = (array)$this->data;
$folder = $data['folder'] ?? '';
if ($folder === '' || mb_strpos($folder, '/') !== false) {
throw new \RuntimeException('Creating folder failed: bad folder name', 400);
}
if ($data['route'] === '' || $data['route'] === '/') { if ($data['route'] === '' || $data['route'] === '/') {
$path = $this->grav['locator']->findResource('page://'); $path = $this->grav['locator']->findResource('page://');
} else { } else {
@@ -1264,7 +1269,7 @@ class AdminController extends AdminBaseController
} }
$orderOfNewFolder = static::getNextOrderInFolder($path); $orderOfNewFolder = static::getNextOrderInFolder($path);
$new_path = $path . '/' . $orderOfNewFolder . '.' . $data['folder']; $new_path = $path . '/' . $orderOfNewFolder . '.' . $folder;
Folder::create($new_path); Folder::create($new_path);
Cache::clearCache('invalidate'); Cache::clearCache('invalidate');
@@ -1293,6 +1298,11 @@ class AdminController extends AdminBaseController
/** @var PageInterface $obj */ /** @var PageInterface $obj */
$obj = $this->admin->page(true); $obj = $this->admin->page(true);
$folder = $data['folder'] ?? null;
if ($folder === '' || mb_strpos($folder, '/') !== false) {
throw new \RuntimeException('Saving page failed: bad folder name', 400);
}
if (!isset($data['folder']) || !$data['folder']) { if (!isset($data['folder']) || !$data['folder']) {
$data['folder'] = $obj->slug(); $data['folder'] = $obj->slug();
$this->data['folder'] = $obj->slug(); $this->data['folder'] = $obj->slug();
@@ -1679,9 +1689,14 @@ class AdminController extends AdminBaseController
$folder = \Grav\Plugin\Admin\Utils::slug($title) ?: ''; $folder = \Grav\Plugin\Admin\Utils::slug($title) ?: '';
} }
$folder = ltrim($folder, '_'); $folder = ltrim($folder, '_');
if ($folder === '' || mb_strpos($folder, '/') !== false) {
throw new \RuntimeException('Creating page failed: bad folder name', 400);
}
if (!empty($data['modular'])) { if (!empty($data['modular'])) {
$folder = '_' . $folder; $folder = '_' . $folder;
} }
$data['folder'] = $folder; $data['folder'] = $folder;
$path = $route . '/' . $folder; $path = $route . '/' . $folder;