From 89960d47a56544eea91b4bba0daf35443584b2b7 Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 17:40:18 +0900 Subject: [PATCH 01/21] Bugfix: to force type cast. $value['extend'] may be null. --- app/src/Web/Fc2BlogTemplate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/src/Web/Fc2BlogTemplate.php b/app/src/Web/Fc2BlogTemplate.php index a2805cae..8162e3e4 100644 --- a/app/src/Web/Fc2BlogTemplate.php +++ b/app/src/Web/Fc2BlogTemplate.php @@ -45,7 +45,7 @@ static public function preprocessingData(Request $request, array $data): array // 自動改行処理 if ($value['auto_linefeed'] == Config::get('ENTRY.AUTO_LINEFEED.USE')) { $data['entries'][$key]['body'] = nl2br($value['body']); - $data['entries'][$key]['extend'] = nl2br($value['extend']); + $data['entries'][$key]['extend'] = nl2br((string)$value['extend']); } // topentry_enc_* 系タグの生成 From c9d212ac9ef9818bc918acfc5492bbe7ee719a19 Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 17:41:50 +0900 Subject: [PATCH 02/21] Bugfix: fix wrong title. --- app/twig_templates/user/common/error400.twig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/twig_templates/user/common/error400.twig b/app/twig_templates/user/common/error400.twig index c13004c8..f4730c0e 100644 --- a/app/twig_templates/user/common/error400.twig +++ b/app/twig_templates/user/common/error400.twig @@ -1,5 +1,5 @@ {% extends 'user/layouts/default.twig' %} -{% block title %}{{ _('403 Forbidden.') }}{% endblock %} +{% block title %}{{ _('400 BadRequest.') }}{% endblock %} {% block content %}

{{ _('400 BadRequest.') }}

From 432cdeadf7faf3c34620d9dad26b32ed9bb7b621 Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 18:04:10 +0900 Subject: [PATCH 03/21] add request->isPost() --- app/src/Web/Request.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/app/src/Web/Request.php b/app/src/Web/Request.php index 21e3b626..f61e79e9 100644 --- a/app/src/Web/Request.php +++ b/app/src/Web/Request.php @@ -303,6 +303,15 @@ public function isGet(): bool return $this->method === 'GET'; } + /** + * リクエストメソッドがPOSTか判定を行う + * @return bool + */ + public function isPost(): bool + { + return $this->method === 'POST'; + } + /** * @param string $key * @return bool @@ -346,7 +355,7 @@ public function getCookie(string $cookie_name, string $default = null) */ public function isValidPost(): bool { - return $this->method === "POST" && $this->isValidSig(); + return $this->isPost() && $this->isValidSig(); } public function isValidSig(): bool From e35668da02527083a91c183f55eacf88d21d40b3 Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 18:08:45 +0900 Subject: [PATCH 04/21] Add http request method validation. --- .../Web/Controller/User/BlogsController.php | 4 ++ .../Web/Controller/User/CommonController.php | 21 ++++++++-- .../Web/Controller/User/EntriesController.php | 40 +++++++++++++++++-- 3 files changed, 59 insertions(+), 6 deletions(-) diff --git a/app/src/Web/Controller/User/BlogsController.php b/app/src/Web/Controller/User/BlogsController.php index 2d3a1767..6b31479e 100644 --- a/app/src/Web/Controller/User/BlogsController.php +++ b/app/src/Web/Controller/User/BlogsController.php @@ -19,6 +19,8 @@ class BlogsController extends UserController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog = (new BlogsModel())->findByRandom(); if (empty($blog)) { return $this->error404(); @@ -34,6 +36,8 @@ public function index(Request $request): string */ public function feed(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blogs_model = new BlogsModel(); $blog = $blogs_model->findById($request->getBlogId()); if (empty($blog)) { diff --git a/app/src/Web/Controller/User/CommonController.php b/app/src/Web/Controller/User/CommonController.php index bd075923..84e1f01b 100644 --- a/app/src/Web/Controller/User/CommonController.php +++ b/app/src/Web/Controller/User/CommonController.php @@ -20,9 +20,12 @@ class CommonController extends UserController /** * 言語設定変更 * @param Request $request + * @return string */ - public function lang(Request $request) + public function lang(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 言語の設定 $lang = $request->get('lang'); if (Config::get('LANGUAGES.' . $lang)) { @@ -31,14 +34,18 @@ public function lang(Request $request) // 元のURLに戻す $this->redirectBack($request, '/'); + return ""; } /** * デバイス変更 * @param Request $request + * @return string */ - public function device_change(Request $request) + public function device_change(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // デバイスの設定 $device_type = 0; $device = $request->get('device'); @@ -56,15 +63,20 @@ public function device_change(Request $request) Cookie::set($request, 'device', $device_type); $this->redirectBack($request, array('controller' => 'entries', 'action' => 'index', 'blog_id' => $request->getBlogId())); + return ""; } const CAPTCHA_TOKEN_KEY_NAME = 'token'; + /** * 画像認証 * @param Request $request + * @return string */ - public function captcha(Request $request) + public function captcha(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $size_x = 200; $size_y = 40; // 自動テスト用に"DEBUG_FORCE_CAPTCHA_KEY"環境変数で、Captchaキーの固定機能 @@ -96,6 +108,7 @@ public function captcha(Request $request) } catch (Exception $e) { throw new RuntimeException("drawNumber failed. {$e->getMessage()} {$e->getFile()}:{$e->getLine()}"); } + return ""; } /** @@ -117,6 +130,8 @@ public static function isValidCaptcha(Request $request): bool */ public function thumbnail(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->get('blog_id'); $id = $request->get('id'); $ext = $request->get('ext'); diff --git a/app/src/Web/Controller/User/EntriesController.php b/app/src/Web/Controller/User/EntriesController.php index 99104256..1d5db04b 100644 --- a/app/src/Web/Controller/User/EntriesController.php +++ b/app/src/Web/Controller/User/EntriesController.php @@ -88,6 +88,8 @@ protected function beforeFilter(Request $request): void */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->getBlogId(); if (!$blog_id) { Log::notice("missing blog_id parameter. redirect to top. blog_id: {$blog_id}"); @@ -112,6 +114,8 @@ public function index(Request $request): string */ public function search(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $where = 'blog_id=?'; $params = array($request->getBlogId()); @@ -139,6 +143,8 @@ public function search(Request $request): string */ public function category(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->getBlogId(); $category_id = $request->get('cat'); @@ -173,6 +179,8 @@ public function category(Request $request): string */ public function tag(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // タグ検索 $blog_id = $request->getBlogId(); $tag_name = $request->get('tag'); @@ -206,6 +214,8 @@ public function tag(Request $request): string */ public function date(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 開始日付と終了日付の計算 preg_match('/^([0-9]{4})([0-9]{2})?([0-9]{2})?$/', $request->get('date'), $matches); $dates = $matches + array('', date('Y'), 0, 0); @@ -231,6 +241,8 @@ public function date(Request $request): string */ public function archive(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 記事一覧データ設定 $options = array( 'fields' => array( @@ -266,7 +278,7 @@ public function preview(Request $request): string return $this->error404(); } - // 記事のプレビュー + // 記事のプレビュー(POST) if ($request->get('entry')) { return $this->preview_entry($request); } @@ -297,6 +309,8 @@ public function preview(Request $request): string */ private function preview_fc2_template(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->getBlogId(); // 記事一覧データ設定 @@ -334,6 +348,8 @@ private function preview_fc2_template(Request $request): string */ private function preview_template(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->getBlogId(); // 記事一覧データ設定 @@ -371,6 +387,8 @@ private function preview_template(Request $request): string */ private function preview_plugin(Request $request): string { + if (!$request->isPost()) return $this->error400(); + $blog_id = $request->getBlogId(); // プラグインのプレビュー情報取得 @@ -457,6 +475,8 @@ private function preview_plugin(Request $request): string */ private function preview_entry(Request $request): string { + if (!$request->isPost()) return $this->error400(); + $blog_id = $request->getBlogId(); // DBの代わりにリクエストから取得 @@ -509,6 +529,8 @@ private function preview_entry(Request $request): string */ public function view(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->getBlogId(); $entry_id = (int)$request->get('id'); @@ -641,6 +663,8 @@ private function isEntryNeedAuth($entry): bool */ public function plugin(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->getBlogId(); $id = $request->get('id'); @@ -657,6 +681,7 @@ public function plugin(Request $request): string * 記事のパスワード認証 * @param Request $request * @return string + * TODO POST化 */ public function password(Request $request): string { @@ -702,7 +727,8 @@ public function blog_password(Request $request): string } // 認証処理 - if ($request->get('blog')) { + // TODO Sigがない + if ($request->get('blog') && $request->isPost()) { if (password_verify($request->get('blog.password'), $blog->blog_password)) { Session::set($this->getBlogPasswordKey($blog->id), true); $this->set('auth_success', true); // for testing. @@ -723,6 +749,8 @@ public function blog_password(Request $request): string */ public function comment_regist(Request $request): string { + if (!$request->isPost()) return $this->error400(); + $blog_id = $request->getBlogId(); // ブログの設定情報取得(captchaの使用可否で画面切り替え) @@ -854,7 +882,7 @@ public function comment_edit(Request $request): string $this->set('edit_entry', $entry); // 初期表示処理 - if (!$request->get('comment.id')) { + if (!$request->get('comment.id') && $request->isGet()) { $this->set('edit_comment', $comment); // FC2用のテンプレートで表示 @@ -863,7 +891,11 @@ public function comment_edit(Request $request): string return $this->getFc2TemplatePath($blog_id); } + // これ以後はPOSTでのみ処理を許可する + if (!$request->isPost()) return $this->error400(); + // 削除ボタンを押された場合の処理(comment_deleteに処理を移譲) + // TODO sig if ($request->get('comment.delete')) { return $this->comment_delete($request); } @@ -913,6 +945,8 @@ public function comment_edit(Request $request): string */ public function comment_delete(Request $request): string { + if (!$request->isPost()) return $this->error400(); + $comments_model = new CommentsModel(); $blog_id = $request->getBlogId(); From cfde3ce21e506c050132c0aeeff82fc429c2f061 Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 18:28:48 +0900 Subject: [PATCH 05/21] add todo --- app/twig_templates/admin/blog_plugins/index.twig | 1 + 1 file changed, 1 insertion(+) diff --git a/app/twig_templates/admin/blog_plugins/index.twig b/app/twig_templates/admin/blog_plugins/index.twig index 4a53d070..04d8f2a0 100644 --- a/app/twig_templates/admin/blog_plugins/index.twig +++ b/app/twig_templates/admin/blog_plugins/index.twig @@ -70,6 +70,7 @@ var blog_plugins = {{ blog_plugin_json|json_encode()|raw }}; $(function () { // 表示切り替え + {# TODO POST methodに変更 #} $('input[type=checkbox][name="blog_plugin[display]"]').on('click', function () { $.ajax({ url: common.fwURL('blog_plugins', 'display_change', { From 99c28de1cd997a39fa6f4d1686b3af8ae1ed5fcf Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 19:23:45 +0900 Subject: [PATCH 06/21] Add http request method validation. --- .../Admin/BlogPluginsController.php | 60 ++++++++++++++++--- 1 file changed, 52 insertions(+), 8 deletions(-) diff --git a/app/src/Web/Controller/Admin/BlogPluginsController.php b/app/src/Web/Controller/Admin/BlogPluginsController.php index e22dbb84..3f967c0d 100644 --- a/app/src/Web/Controller/Admin/BlogPluginsController.php +++ b/app/src/Web/Controller/Admin/BlogPluginsController.php @@ -19,6 +19,8 @@ class BlogPluginsController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $this->getBlogIdFromSession(); $device_type = $request->get('device_type', (string)Config::get('DEVICE_PC'), Request::VALID_IN_ARRAY, Config::get('ALLOW_DEVICES')); $this->set('device_type', $device_type); @@ -53,6 +55,8 @@ public function index(Request $request): string */ public function official_search(Request $request): string { + if (!$request->isGet()) return $this->error400(); + return $this->plugin_search($request); } @@ -63,11 +67,13 @@ public function official_search(Request $request): string */ public function share_search(Request $request): string { + if (!$request->isGet()) return $this->error400(); + return $this->plugin_search($request, false); } /** - * プラグイン検索 + * プラグイン検索 (内部呼び出し) * @param Request $request * @param bool $is_official * @return string @@ -142,6 +148,9 @@ public function create(Request $request): string return "admin/blog_plugins/create.twig"; } + // 以下は更新処理なので、POST必須 + if (!$request->isPost()) return $this->error400(); + // 新規登録処理 $errors = array(); $white_list = array('title', 'title_align', 'title_color', 'contents', 'contents_align', 'contents_color', 'device_type', 'category'); @@ -179,7 +188,7 @@ public function edit(Request $request): string $this->set('device_type', $request->get('blog_plugin.device_type')); $this->set('device_type_sp', (string)Config::get('DEVICE_SP')); - // 編集対象のデータ取得 + // 編集対象のデータ取得、なければリダイレクト if (!$blog_plugin = $blog_plugins_model->findByIdAndBlogId($id, $blog_id)) { $this->redirect($request, array('action' => 'index')); } @@ -190,6 +199,9 @@ public function edit(Request $request): string return "admin/blog_plugins/edit.twig"; } + // 以下は更新処理なので、POST必須 + if (!$request->isPost()) return $this->error400(); + // 更新処理 $errors = array(); $white_list = array('title', 'title_align', 'title_color', 'contents', 'contents_align', 'contents_color'); @@ -211,8 +223,9 @@ public function edit(Request $request): string /** * 削除 * @param Request $request + * @return string */ - public function delete(Request $request) + public function delete(Request $request): string { $blog_plugins_model = Model::load('BlogPlugins'); @@ -225,12 +238,16 @@ public function delete(Request $request) $this->redirect($request, array('action' => 'index')); } + // 以下は更新処理なので、POST必須 + if (!$request->isPost()) return $this->error400(); + if ($request->isValidSig()) { // 削除処理 $blog_plugins_model->deleteByIdAndBlogId($id, $blog_id); $this->setInfoMessage(__('I removed the plugin')); } $this->redirect($request, array('action' => 'index', 'device_type' => $blog_plugin['device_type'])); + return ""; } /** @@ -267,6 +284,9 @@ public function register(Request $request): string return 'admin/blog_plugins/register.twig'; } + // 以下は更新処理なので、POST必須 + if (!$request->isPost()) return $this->error400(); + // 新規登録処理 $errors = []; $white_list = ['title', 'body']; @@ -291,8 +311,9 @@ public function register(Request $request): string /** * 登録済みのプラグイン削除 * @param Request $request + * @return string */ - public function plugin_delete(Request $request) + public function plugin_delete(Request $request): string { $plugins_model = Model::load('Plugins'); @@ -304,19 +325,24 @@ public function plugin_delete(Request $request) $this->redirect($request, array('action' => 'search')); } + // 以下は更新処理なので、POST必須 + if (!$request->isPost()) return $this->error400(); + if ($request->isValidSig()) { // 削除処理 $plugins_model->deleteByIdAndUserId($id, $user_id); $this->setInfoMessage(__('I removed the plugin')); } $this->redirectBack($request, array('action' => 'search')); + return ""; } /** * プラグインのダウンロード * @param Request $request + * @return string */ - public function download(Request $request) + public function download(Request $request): string { $id = $request->get('id'); $plugin = Model::load('Plugins')->findById($id); @@ -325,6 +351,9 @@ public function download(Request $request) $this->redirectBack($request, array('controller' => 'blog_plugins', 'action' => 'index')); } + // 以下は更新処理なので、POST必須 + if (!$request->isPost()) return $this->error400(); + if ($request->isValidSig()) { // 追加用のデータを取得データから作成 $blog_plugin_data = array( @@ -344,20 +373,25 @@ public function download(Request $request) $this->setErrorMessage(__('I failed to download the plug-in')); } $this->redirectBack($request, array('controller' => 'blog_plugins', 'action' => 'index')); + return ""; } /** * 並べ替え * @param Request $request + * @return string */ - public function sort(Request $request) + public function sort(Request $request): string { + if (!$request->isPost()) return $this->error400(); + $blog_plugins_model = Model::load('BlogPlugins'); $blog_id = $this->getBlogIdFromSession(); $device_type = $request->get('device_type', Config::get('DEVICE_PC'), Request::VALID_IN_ARRAY, Config::get('ALLOW_DEVICES')); // 並べ替え処理 + // TODO Sigチェック不足 $blog_plugins_model->sort($request->get('blog_plugins', array()), $device_type, $blog_id); $this->setInfoMessage(__('I have completed the sorting')); @@ -365,14 +399,18 @@ public function sort(Request $request) $this->redirect($request, array('action' => 'index', 'device_type' => $device_type, 'state' => 'sort')); } $this->redirect($request, array('action' => 'index', 'device_type' => $device_type)); + return ""; } /** * プラグインの表示設定 * @param Request $request + * @return string */ - public function display_changes(Request $request) + public function display_changes(Request $request): string { + if (!$request->isPost()) return $this->error400(); + $blog_plugins_model = Model::load('BlogPlugins'); $blog_id = $this->getBlogIdFromSession(); @@ -388,14 +426,19 @@ public function display_changes(Request $request) $this->redirect($request, array('action' => 'index', 'device_type' => $device_type, 'state' => 'display')); } $this->redirect($request, array('action' => 'index', 'device_type' => $device_type)); + return ""; } /** * プラグインの表示設定 * @param Request $request + * @return string */ - public function display_change(Request $request) + public function display_change(Request $request): string { + // TODO クライアント側の修正も行う + // if(!$request->isPost()) return $this->error400(); + $blog_plugins_model = Model::load('BlogPlugins'); $id = $request->get('id'); @@ -410,6 +453,7 @@ public function display_change(Request $request) // 表示・非表示設定 $blog_plugins_model->updateByIdAndBlogId(array('display' => $display), $id, $blog_id); // $blog_plugins_model->updateDisplay(array($id=>$request->get('display')), $blog_id); // TODO:後でこちらに置き換え + return ""; } } From 958991fb0db3a831fb54bab74c6cb550763cae2d Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 19:27:46 +0900 Subject: [PATCH 07/21] Add http request method validation. --- .../Web/Controller/Admin/BlogsController.php | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/app/src/Web/Controller/Admin/BlogsController.php b/app/src/Web/Controller/Admin/BlogsController.php index 335986ed..397a43b4 100644 --- a/app/src/Web/Controller/Admin/BlogsController.php +++ b/app/src/Web/Controller/Admin/BlogsController.php @@ -12,7 +12,6 @@ class BlogsController extends AdminController { - /** * 一覧表示 * @param Request $request @@ -20,6 +19,8 @@ class BlogsController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // ブログの一覧取得 $options = [ 'where' => 'user_id=?', @@ -54,6 +55,8 @@ public function create(Request $request): string return 'admin/blogs/create.twig'; } + if (!$request->isPost()) return $this->error400(); + $blogs_model = new BlogsModel(); // 新規登録処理 @@ -91,7 +94,7 @@ public function edit(Request $request): string $this->set('tab', 'blog_edit'); // 初期表示時に編集データの設定 - if (!$request->get('blog') || !$request->isValidSig()) { + if (!$request->get('blog') || !$request->isValidPost()) { if (!$blog = $blogs_model->findById($blog_id)) { $this->redirect($request, ['action' => 'index']); } @@ -100,6 +103,8 @@ public function edit(Request $request): string } // 更新処理 + if (!$request->isPost()) return $this->error400(); + $white_list = ['name', 'introduction', 'nickname', 'timezone', 'blog_password', 'open_status', 'ssl_enable', 'redirect_status_code']; $errors['blog'] = $blogs_model->validate( // バリデーションのために、blog_idを引き回している。バリデーションを作り変えたい @@ -131,9 +136,12 @@ public function edit(Request $request): string /** * ブログの切り替え * @param Request $request + * @return string */ - public function choice(Request $request) + public function choice(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $request->get('blog_id'); // 切り替え先のブログの存在チェック @@ -142,6 +150,7 @@ public function choice(Request $request) $this->setBlog($blog); } $this->redirect($request, $request->baseDirectory); // トップページへリダイレクト + return ""; } /** @@ -151,9 +160,10 @@ public function choice(Request $request) */ public function delete(Request $request): string { + $this->set('tab', 'blog_delete'); // 退会チェック - if (!$request->get('blog.delete') || !$request->isValidSig()) { + if (!$request->get('blog.delete') || !$request->isValidPost()) { return 'admin/blogs/delete.twig'; } @@ -174,6 +184,4 @@ public function delete(Request $request): string $this->redirect($request, ['action' => 'index']); return 'admin/blogs/delete.twig'; // 到達しないはずである } - } - From 14fdd42e9934d6aab63d779145a555047d264b6d Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 19:53:44 +0900 Subject: [PATCH 08/21] Add http request method validation. --- app/src/Web/Controller/Admin/BlogSettingsController.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/app/src/Web/Controller/Admin/BlogSettingsController.php b/app/src/Web/Controller/Admin/BlogSettingsController.php index 3f927b26..b154b355 100644 --- a/app/src/Web/Controller/Admin/BlogSettingsController.php +++ b/app/src/Web/Controller/Admin/BlogSettingsController.php @@ -10,7 +10,6 @@ class BlogSettingsController extends AdminController { - /** * コメント編集 * @param Request $request @@ -78,7 +77,7 @@ private function settingEdit(Request $request, $white_list, $action): string $blog_id = $this->getBlogIdFromSession(); // 初期表示時に編集データの取得&設定 - if (!$request->get('blog_setting') || !$request->isValidSig()) { + if (!$request->get('blog_setting') || !$request->isValidPost()) { $blog_setting = $blog_settings_model->findByBlogId($blog_id); $request->set('blog_setting', $blog_setting); return $this->get('template_path'); @@ -112,6 +111,4 @@ private function settingEdit(Request $request, $white_list, $action): string return $this->get('template_path'); } - } - From 5a6ada9a68b2e5e6585531cad3d9f110730c9d7f Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 22:58:16 +0900 Subject: [PATCH 09/21] Add http request method validation. add TODO. --- .../Admin/BlogTemplatesController.php | 22 +++++++++++++++---- .../admin/blog_templates/fc2_index.twig | 1 + .../admin/blog_templates/fc2_view_sp.twig | 1 + .../admin/blog_templates/index.twig | 2 ++ .../admin/blog_templates/index_sp.twig | 1 + 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/app/src/Web/Controller/Admin/BlogTemplatesController.php b/app/src/Web/Controller/Admin/BlogTemplatesController.php index 5c325d86..66bb1700 100644 --- a/app/src/Web/Controller/Admin/BlogTemplatesController.php +++ b/app/src/Web/Controller/Admin/BlogTemplatesController.php @@ -22,6 +22,8 @@ class BlogTemplatesController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $this->getBlogIdFromSession(); if (App::isPC($request)) { $device_type = $request->get('device_type', 0); @@ -55,6 +57,8 @@ public function index(Request $request): string */ public function fc2_index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // デバイスタイプの設定 $device_type = $request->get('device_type', (string)Config::get('DEVICE_PC')); $request->set('device_type', $device_type); @@ -85,6 +89,8 @@ public function fc2_index(Request $request): string */ public function fc2_view(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 戻る用URLの設定 $back_url = $request->getReferer(); if (!empty($back_url)) { @@ -120,7 +126,7 @@ public function create(Request $request): string $this->set('template_syntaxes', array_merge(array_keys(Config::get('fc2_template_foreach')), array_keys(Config::get('fc2_template_if')))); // 初期表示時 - if (!$request->get('blog_template') || !$request->isValidSig()) { + if (!$request->get('blog_template') || !$request->isValidPost()) { // FC2テンプレートダウンロード if ($request->get('fc2_id')) { $device_type = $request->get('device_type'); @@ -142,6 +148,7 @@ public function create(Request $request): string } // 新規登録処理 + if (!$request->isPost()) return $this->error400(); $errors = []; $white_list = ['title', 'html', 'css', 'device_type']; $errors['blog_template'] = $blog_templates_model->validate($request->get('blog_template'), $blog_template_data, $white_list); @@ -172,7 +179,7 @@ public function edit(Request $request): string $blog_id = $this->getBlogIdFromSession(); // 初期表示時に編集データの取得&設定 - if (!$request->get('blog_template') || !$request->isValidSig()) { + if (!$request->get('blog_template') || !$request->isValidPost()) { if (!$blog_template = $blog_templates_model->findByIdAndBlogId($id, $blog_id)) { $this->redirect($request, ['action' => 'index']); } @@ -181,6 +188,7 @@ public function edit(Request $request): string } // 更新処理 + if (!$request->isPost()) return $this->error400(); $errors = []; $white_list = ['title', 'html', 'css']; $errors['blog_template'] = $blog_templates_model->validate($request->get('blog_template'), $blog_template_data, $white_list); @@ -203,6 +211,9 @@ public function edit(Request $request): string */ public function apply(Request $request) { + // TODO post化 + // if(!$request->isPost()) return $this->error400(); + $blog_templates_model = Model::load('BlogTemplates'); $id = $request->get('id'); @@ -223,12 +234,14 @@ public function apply(Request $request) } /** - * テンプレートダウンロード + * テンプレートダウンロード(SP用) * @param Request $request * @return string */ public function download(Request $request): string { + // TODO POST化 + /** @var BlogTemplatesModel $blog_templates_model */ $blog_templates_model = Model::load('BlogTemplates'); @@ -282,7 +295,7 @@ public function delete(Request $request) $id = $request->get('id'); $blog_id = $this->getBlogIdFromSession(); - // 使用中のテンプレート判定 + // 使用中のテンプレートであれば削除させない $blog = BlogService::getById($blog_id); $template_ids = BlogsModel::getTemplateIds($blog); if (in_array($id, $template_ids)) { @@ -295,6 +308,7 @@ public function delete(Request $request) $this->redirect($request, array('action' => 'index')); } + // TODO 削除処理のPOST必須化 if ($request->isValidSig()) { // 削除処理 $blog_templates_model->deleteByIdAndBlogId($id, $blog_id); diff --git a/app/twig_templates/admin/blog_templates/fc2_index.twig b/app/twig_templates/admin/blog_templates/fc2_index.twig index 0fdd6a88..98ecacc3 100644 --- a/app/twig_templates/admin/blog_templates/fc2_index.twig +++ b/app/twig_templates/admin/blog_templates/fc2_index.twig @@ -19,6 +19,7 @@ {{ _('Preview') }} + {# TODO blog_templates createのPOST化 #} {{ _('Download') }} diff --git a/app/twig_templates/admin/blog_templates/fc2_view_sp.twig b/app/twig_templates/admin/blog_templates/fc2_view_sp.twig index 55436e35..2fbe67e4 100644 --- a/app/twig_templates/admin/blog_templates/fc2_view_sp.twig +++ b/app/twig_templates/admin/blog_templates/fc2_view_sp.twig @@ -17,6 +17,7 @@ {{ _('Preview') }}

+ {# TODO blog_templates downloadのPOST化 #} {{ _('Download') }}

diff --git a/app/twig_templates/admin/blog_templates/index.twig b/app/twig_templates/admin/blog_templates/index.twig index 12c8c5a3..46e93573 100644 --- a/app/twig_templates/admin/blog_templates/index.twig +++ b/app/twig_templates/admin/blog_templates/index.twig @@ -32,6 +32,7 @@ {% endif %} {% if not inArray(blog_template.id, template_ids) %} + {# TODO 適用処理のPOST化 #} {{ _('Apply') }} {% endif %} @@ -43,6 +44,7 @@   {% endif %} {% if not inArray(blog_template.id, template_ids) %} + {# TODO 削除処理のPOST化 #} {{ _('Delete') }} {% endif %} diff --git a/app/twig_templates/admin/blog_templates/index_sp.twig b/app/twig_templates/admin/blog_templates/index_sp.twig index 136463b2..ea97c690 100644 --- a/app/twig_templates/admin/blog_templates/index_sp.twig +++ b/app/twig_templates/admin/blog_templates/index_sp.twig @@ -62,6 +62,7 @@ return; } if (confirm('{{ _('Are you sure you want to delete?') }}')) { + {# TODO 削除処理のPOST化 #} location.href = common.fwURL('blog_templates', 'delete', {id: id, sig: "{{ sig }}"}); } }); From a275e26660b3fe50ab843690bb9430328cc80328 Mon Sep 17 00:00:00 2001 From: uzulla Date: Sun, 6 Jun 2021 23:14:57 +0900 Subject: [PATCH 10/21] Add 500 error page. --- app/src/Web/Controller/Controller.php | 7 +++++++ app/twig_templates/user/common/error500.twig | 6 ++++++ app/twig_templates/user/common/error500_sp.twig | 6 ++++++ 3 files changed, 19 insertions(+) create mode 100644 app/twig_templates/user/common/error500.twig create mode 100644 app/twig_templates/user/common/error500_sp.twig diff --git a/app/src/Web/Controller/Controller.php b/app/src/Web/Controller/Controller.php index 87e73026..9021c9ca 100644 --- a/app/src/Web/Controller/Controller.php +++ b/app/src/Web/Controller/Controller.php @@ -328,6 +328,13 @@ protected function error400(): string return 'user/common/error400.twig'; } + // 500 BadRequest + protected function error500(): string + { + $this->setStatusCode(500); + return 'user/common/error500.twig'; + } + public function getOutput(): string { if (!defined("THIS_IS_TEST")) { diff --git a/app/twig_templates/user/common/error500.twig b/app/twig_templates/user/common/error500.twig new file mode 100644 index 00000000..383c84aa --- /dev/null +++ b/app/twig_templates/user/common/error500.twig @@ -0,0 +1,6 @@ +{% extends 'user/layouts/default.twig' %} +{% block title %}{{ _('500 Internal Server Error.') }}{% endblock %} + +{% block content %} +

{{ _('500 Internal Server Error.') }}

+{% endblock %} diff --git a/app/twig_templates/user/common/error500_sp.twig b/app/twig_templates/user/common/error500_sp.twig new file mode 100644 index 00000000..f2d7402a --- /dev/null +++ b/app/twig_templates/user/common/error500_sp.twig @@ -0,0 +1,6 @@ +{% extends 'user/layouts/default_sp.twig' %} +{% block title %}{{ _('500 Internal Server Error.') }}{% endblock %} + +{% block content %} +

{{ _('500 Internal Server Error.') }}

+{% endblock %} From 611a726df66181daade4a4e3938cc7298862abdf Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 01:33:30 +0900 Subject: [PATCH 11/21] Add http request method validation. refactoring. --- .../Controller/Admin/CategoriesController.php | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/app/src/Web/Controller/Admin/CategoriesController.php b/app/src/Web/Controller/Admin/CategoriesController.php index 4956cd87..7ac63a7b 100644 --- a/app/src/Web/Controller/Admin/CategoriesController.php +++ b/app/src/Web/Controller/Admin/CategoriesController.php @@ -10,7 +10,6 @@ class CategoriesController extends AdminController { - /** * カテゴリー一覧、新規作成 * @param Request $request @@ -46,6 +45,7 @@ public function create(Request $request): string } // 新規登録処理 + if (!$request->isPost()) return $this->error400(); $category_request = $request->get('category'); $category_request['blog_id'] = $blog_id; $errors = $categories_model->validate($category_request, $data, ['parent_id', 'name', 'category_order']); @@ -91,6 +91,7 @@ public function edit(Request $request): string } // 更新処理 + if (!$request->isPost()) return $this->error400(); $category_request = $request->get('category'); $category_request['id'] = $id; // 入力チェック用 $category_request['blog_id'] = $blog_id; // 入力チェック用 @@ -111,29 +112,33 @@ public function edit(Request $request): string /** * 削除 * @param Request $request + * @return string */ - public function delete(Request $request) + public function delete(Request $request): string { - $categories_model = Model::load('Categories'); + if (!$request->isValidPost()) { + return $this->error400(); + } $id = $request->get('id'); $blog_id = $this->getBlogIdFromSession(); - if (!$request->isValidSig()) { - $request = new Request(); - $this->redirect($request, array('action' => 'create')); - return; + // 未分類であるid=1は削除させない + if ($id === "1") { + return $this->error400(); } - - // 削除データの取得(未分類であるid=1は削除させない) - if ($id == 1 || !$categories_model->findByIdAndBlogId($id, $blog_id)) { + // 削除データの取得 + $categories_model = Model::load('Categories'); + if (!$categories_model->findByIdAndBlogId($id, $blog_id)) { $this->redirect($request, array('action' => 'create')); + return ""; } // 削除処理 $categories_model->deleteNodeByIdAndBlogId($id, $blog_id); $this->setInfoMessage(__('I removed the category')); $this->redirect($request, array('action' => 'create')); + return ""; } /** @@ -144,45 +149,40 @@ public function delete(Request $request) */ public function ajax_add(Request $request): string { - if ($this->isInvalidAjaxRequest($request)) { - return $this->error403(); - } - - /** @var CategoriesModel $categories_model */ - $categories_model = Model::load('Categories'); - - $blog_id = $this->getBlogIdFromSession(); - - $json = array('status' => 0); - - if (!$request->isValidSig()) { + if (!$request->isValidPost() || $this->isInvalidAjaxRequest($request)) { $this->setContentType("application/json; charset=utf-8"); - $this->setStatusCode(404); - $this->set('json', ['error' => 'invalid sig']); + $this->setStatusCode(400); + $this->set('json', ['status' => 0, 'error' => 'invalid sig']); return "admin/common/json.twig"; } $category_request = $request->get('category'); + $blog_id = $this->getBlogIdFromSession(); $category_request['blog_id'] = $blog_id; + /** @var CategoriesModel $categories_model */ + $categories_model = Model::load('Categories'); $errors = $categories_model->validate($category_request, $data, array('parent_id', 'name')); if (empty($errors)) { $data['blog_id'] = $blog_id; if ($id = $categories_model->addNode($data, 'blog_id=?', array($blog_id))) { - $json['status'] = 1; - $json['category'] = array( - 'id' => $id, - 'parent_id' => $data['parent_id'], - 'name' => $data['name'], - ); + $json = [ + 'status' => 1, + 'category' => [ + 'id' => $id, + 'parent_id' => $data['parent_id'], + 'name' => $data['name'], + ], + ]; + $this->setContentType("application/json; charset=utf-8"); + $this->set('json', $json); + return "admin/common/json.twig"; + } else { + return $this->error500(); } } - $json['error'] = $errors; - $this->setContentType("application/json; charset=utf-8"); - $this->set('json', $json); + $this->set('json', ['status' => 0, 'error' => $errors]); return "admin/common/json.twig"; } - } - From 2fc2e909227797322af2b02b388d5fe4d4e767d7 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 01:35:47 +0900 Subject: [PATCH 12/21] Add http request method validation. add TODO. --- app/src/Web/Controller/Admin/CommentsController.php | 4 +++- app/twig_templates/admin/comments/ajax_reply.twig | 2 +- app/twig_templates/admin/comments/index.twig | 2 +- app/twig_templates/admin/comments/reply_sp.twig | 4 ++-- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/app/src/Web/Controller/Admin/CommentsController.php b/app/src/Web/Controller/Admin/CommentsController.php index 73351804..b1a434eb 100644 --- a/app/src/Web/Controller/Admin/CommentsController.php +++ b/app/src/Web/Controller/Admin/CommentsController.php @@ -12,7 +12,6 @@ class CommentsController extends AdminController { - /** * 一覧表示 * @param Request $request @@ -20,6 +19,8 @@ class CommentsController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $comments_model = new CommentsModel(); $blog_id = $this->getBlogIdFromSession(); @@ -135,6 +136,7 @@ public function setStatusDataList(): void */ public function approval(Request $request) { + // TODO POST化、Sigチェック $comments_model = Model::load('Comments'); $id = $request->get('id'); diff --git a/app/twig_templates/admin/comments/ajax_reply.twig b/app/twig_templates/admin/comments/ajax_reply.twig index b611e018..0e4682e7 100644 --- a/app/twig_templates/admin/comments/ajax_reply.twig +++ b/app/twig_templates/admin/comments/ajax_reply.twig @@ -35,7 +35,7 @@ {{ _('Published') }} {% endif %} {% if comment.open_status == comment_open_status_pending %} - {{ _('Approval pending') }} » {{ _('Approval') }} + {{ _('Approval pending') }} » {{ _('Approval') }} {% endif %} {% if comment.open_status == comment_open_status_private %} {{ _('Only exposed administrator') }} diff --git a/app/twig_templates/admin/comments/index.twig b/app/twig_templates/admin/comments/index.twig index 01176333..9f40cfd8 100644 --- a/app/twig_templates/admin/comments/index.twig +++ b/app/twig_templates/admin/comments/index.twig @@ -77,7 +77,7 @@ {{ _('Published') }} {% endif %} {% if comment.open_status == comment_open_status_pending %} - {{ _('Approval') }} + {{ _('Approval') }} {% endif %} {% if comment.open_status == comment_open_status_private %} {{ _('Only exposed administrator') }} diff --git a/app/twig_templates/admin/comments/reply_sp.twig b/app/twig_templates/admin/comments/reply_sp.twig index 70ced4d7..8e5d1324 100644 --- a/app/twig_templates/admin/comments/reply_sp.twig +++ b/app/twig_templates/admin/comments/reply_sp.twig @@ -45,8 +45,8 @@
{% if comment.open_status == comment_open_status_pending %}
- {{ _('I moderate comments') }} + {{ _('I moderate comments') }}
{% endif %}
    From 8bcb71cbea34973749937e26aec3543b40d5faf2 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 01:36:21 +0900 Subject: [PATCH 13/21] Add http request method validation. fix broken test. --- app/src/Web/Controller/Admin/EntriesController.php | 11 +++++++---- tests/App/Controller/Admin/Entries/DeleteTest.php | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/app/src/Web/Controller/Admin/EntriesController.php b/app/src/Web/Controller/Admin/EntriesController.php index 7fd0fb34..c20d732e 100644 --- a/app/src/Web/Controller/Admin/EntriesController.php +++ b/app/src/Web/Controller/Admin/EntriesController.php @@ -16,7 +16,6 @@ class EntriesController extends AdminController { - /** * 一覧表示 * @param Request $request @@ -24,6 +23,8 @@ class EntriesController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $entries_model = new EntriesModel(); $blog_id = $this->getBlogIdFromSession(); @@ -161,6 +162,7 @@ public function create(Request $request): string } // 新規登録処理 + if (!$request->isPost()) return $this->error400(); $errors = []; $whitelist_entry = ['title', 'body', 'extend', 'open_status', 'password', 'auto_linefeed', 'comment_accepted', 'posted_at']; $errors['entry'] = $entries_model->validate($request->get('entry'), $entry_data, $whitelist_entry); @@ -239,6 +241,7 @@ public function edit(Request $request): string } // 更新処理 + if (!$request->isPost()) return $this->error400(); $errors = []; $whitelist_entry = ['title', 'body', 'extend', 'open_status', 'password', 'auto_linefeed', 'comment_accepted', 'posted_at']; $errors['entry'] = $entries_model->validate($request->get('entry'), $entry_data, $whitelist_entry); @@ -291,7 +294,7 @@ public function edit(Request $request): string */ public function delete(Request $request) { - if ($request->isValidSig()) { + if ($request->isValidPost()) { // 削除処理 if (Model::load('Entries')->deleteByIdsAndBlogId($request->get('id'), $this->getBlogIdFromSession())) $this->setInfoMessage(__('I removed the entry')); @@ -307,6 +310,8 @@ public function delete(Request $request) */ public function ajax_media_load(Request $request): string { + if (!$request->isGet()) return $this->error400(); + if ($this->isInvalidAjaxRequest($request)) { return $this->error403(); } @@ -341,6 +346,4 @@ public function ajax_media_load(Request $request): string return 'admin/entries/ajax_media_load.twig'; } - } - diff --git a/tests/App/Controller/Admin/Entries/DeleteTest.php b/tests/App/Controller/Admin/Entries/DeleteTest.php index 6d53ff33..72d0ad39 100644 --- a/tests/App/Controller/Admin/Entries/DeleteTest.php +++ b/tests/App/Controller/Admin/Entries/DeleteTest.php @@ -32,7 +32,7 @@ public function testDelete(): void $sig = $this->getSig(); - $r = $this->reqGetBeRedirect("/admin/entries/delete", ["id" => $some_entry['id'], "sig" => $sig]); + $r = $this->reqPostBeRedirect("/admin/entries/delete", ["id" => $some_entry['id'], "sig" => $sig]); $this->assertEquals("/admin/entries/index", $r->redirectUrl); @@ -66,7 +66,7 @@ public function testMultiDelete(): void 'sig' => $sig ]; - $r = $this->reqGetBeRedirect("/admin/entries/delete", $request_data); + $r = $this->reqPostBeRedirect("/admin/entries/delete", $request_data); $this->assertEquals("/admin/entries/index", $r->redirectUrl); $c = $this->reqGet("/admin/entries/index"); From 08f7e784ab082f8c420aad3e54eeba1b62967261 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 01:36:38 +0900 Subject: [PATCH 14/21] Add http request method validation. Add TODO. --- app/src/Web/Controller/Admin/FilesController.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/app/src/Web/Controller/Admin/FilesController.php b/app/src/Web/Controller/Admin/FilesController.php index 5249cdc8..466f5449 100644 --- a/app/src/Web/Controller/Admin/FilesController.php +++ b/app/src/Web/Controller/Admin/FilesController.php @@ -11,7 +11,6 @@ class FilesController extends AdminController { - /** * 一覧表示 /admin/files/upload からPartial読み込み * @param Request $request @@ -87,6 +86,7 @@ public function ajax_index(Request $request): string */ public function upload(Request $request): string { + // TODO uploadと一覧の分離 $files_model = new FilesModel(); $blog_id = $this->getBlogIdFromSession(); @@ -95,6 +95,11 @@ public function upload(Request $request): string // アップロード時処理 if ($request->file('file')) { + if (!$request->isValidSig()) { + $request = new Request(); + $this->redirect($request, ['action' => 'upload']); + } + // 新規登録処理 $errors = []; $errors['file'] = $files_model->insertValidate($request->file('file'), $request->get('file'), $data_file); @@ -115,6 +120,7 @@ public function upload(Request $request): string $this->setInfoMessage(__('I have completed the upload of files')); $this->redirect($request, array('action' => 'upload')); // アップロード成功 + return ""; } } // 拡張子チェックエラーはファイルが指定されていない時には表示不要と思われるので、unset @@ -220,6 +226,7 @@ public function edit(Request $request): string } // 新規登録処理 + // TODO 修正処理とHTMLレスポンスの分離 $errors = []; $errors['file'] = $files_model->updateValidate($request->file('file'), $request->get('file'), $file, $data_file); if (empty($errors['file'])) { From d0d1492384768fdc63f77d301c8a526bd4de0cb1 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 01:39:01 +0900 Subject: [PATCH 15/21] Add http request method validation. fix broken test. --- .../Web/Controller/Admin/CommonController.php | 32 +++++++++++++++---- .../Controller/Admin/Common/InstallTest.php | 2 +- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/app/src/Web/Controller/Admin/CommonController.php b/app/src/Web/Controller/Admin/CommonController.php index e324924f..b3f2c3ed 100644 --- a/app/src/Web/Controller/Admin/CommonController.php +++ b/app/src/Web/Controller/Admin/CommonController.php @@ -20,9 +20,12 @@ class CommonController extends AdminController /** * 言語設定変更 * @param Request $request + * @return string */ - public function lang(Request $request) + public function lang(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 言語の設定 $lang = $request->get('lang'); if (Config::get('LANGUAGES.' . $lang)) { @@ -36,15 +39,19 @@ public function lang(Request $request) $url .= '?' . $device_name; } $this->redirectBack($request, $url); + return ""; } /** * デバイス変更 * @param Request $request + * @return string * @noinspection PhpUnused */ - public function device_change(Request $request) + public function device_change(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // デバイスの設定 $device_type = 0; $device = $request->get('device'); @@ -62,14 +69,18 @@ public function device_change(Request $request) Cookie::set($request, 'device', $device_type); $this->redirectBack($request, array('controller' => 'entries', 'action' => 'index')); + return ""; } /** * /admin/ ブログの設定より初期表示ページを決定し、リダイレクト * @param Request $request + * @return string */ - public function index(Request $request) + public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 設定読み込みをしてリダイレクト if (is_string($blog_id = $this->getBlogIdFromSession())) { $blog_settings = new BlogSettingsModel(); @@ -81,24 +92,29 @@ public function index(Request $request) switch ($setting['start_page']) { case Config::get('BLOG.START_PAGE.ENTRY'): $this->redirect($request, ['controller' => 'Entries', 'action' => 'create']); - break; + return ""; // break; case Config::get('BLOG.START_PAGE.NOTICE'): default: $this->redirect($request, ['controller' => 'Common', 'action' => 'notice']); - break; + return ""; // break; } } else { // 設定なし $this->redirect($request, ['controller' => 'Common', 'action' => 'notice']); + return ""; } + } /** * お知らせ一覧画面 + * @param Request $request * @return string */ - public function notice(/*Request $request*/): string + public function notice(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $blog_id = $this->getBlogIdFromSession(); $comments_model = new CommentsModel(); @@ -126,6 +142,7 @@ public function install(Request $request): string switch ($state) { default: case 0: + if (!$request->isGet()) return $this->error400(); // 環境チェック確認 $this->set('temp_dir', Config::get('TEMP_DIR')); $this->set('www_upload_dir', Config::get('WWW_UPLOAD_DIR')); @@ -180,6 +197,7 @@ public function install(Request $request): string return 'admin/common/install.twig'; case 1: + if (!$request->isGet()) return $this->error400(); // 各種初期設定、DB テーブル作成、ディレクトリ作成 // フォルダの作成 @@ -264,6 +282,7 @@ public function install(Request $request): string } // 以下はユーザー登録実行 + if (!$request->isPost()) return $this->error400(); $users_model = new UsersModel(); $blogs_model = new BlogsModel(); @@ -301,6 +320,7 @@ public function install(Request $request): string case 3: // 完了画面 + if (!$request->isGet()) return $this->error400(); // 完了画面表示と同時に、インストール済みロックファイルの生成 file_put_contents($this->getInstalledLockFilePath(), "This is installed check lockfile.\nThe blog already installed. if you want re-enable installer, please delete this file."); diff --git a/tests/App/Controller/Admin/Common/InstallTest.php b/tests/App/Controller/Admin/Common/InstallTest.php index 7d73bb6b..30e9dd3c 100644 --- a/tests/App/Controller/Admin/Common/InstallTest.php +++ b/tests/App/Controller/Admin/Common/InstallTest.php @@ -104,7 +104,7 @@ public function testInstallState1Check(): void $this->resetSession(); $this->resetCookie(); - $r = $this->reqPostBeRedirect("/admin/common/install", ['state' => 1]); + $r = $this->reqGetBeRedirect("/admin/common/install", ['state' => 1]); $this->assertEquals('/admin/common/install?state=2', $r->redirectUrl); } From b713c4519e2f4b0bab9f6e954c9513667c519182 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 03:10:34 +0900 Subject: [PATCH 16/21] Add http request method validation. --- app/src/Web/Controller/Admin/PasswordResetController.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/src/Web/Controller/Admin/PasswordResetController.php b/app/src/Web/Controller/Admin/PasswordResetController.php index 48d34172..7ba89221 100644 --- a/app/src/Web/Controller/Admin/PasswordResetController.php +++ b/app/src/Web/Controller/Admin/PasswordResetController.php @@ -61,6 +61,8 @@ public function request(Request $request): string /** @noinspection PhpUnused */ public function resetForm(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $token_str = $request->get('token'); $token = PasswordResetTokenService::getByToken($token_str); From 8d240d1822eeb17d3fdcd2a8ba3e04b222ebeca1 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 03:10:55 +0900 Subject: [PATCH 17/21] Add http request method validation. --- app/src/Web/Controller/Admin/SessionController.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/src/Web/Controller/Admin/SessionController.php b/app/src/Web/Controller/Admin/SessionController.php index dc909046..6e9fb72c 100644 --- a/app/src/Web/Controller/Admin/SessionController.php +++ b/app/src/Web/Controller/Admin/SessionController.php @@ -20,6 +20,8 @@ class SessionController extends AdminController */ public function login(Request $request): string { + if (!$request->isGet()) return $this->error400(); + if ($this->isLogin()) { // ログイン済みならトップページへリダイレクト $this->redirect($request, $request->baseDirectory); @@ -97,6 +99,8 @@ public function doLogin(Request $request): string */ public function mailLogin(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // get&check login token $token_str = $request->get('token'); @@ -133,6 +137,8 @@ public function mailLogin(Request $request): string */ public function logout(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // TODO refactoring if ($this->isLogin()) { Session::destroy($request); From ae0c1ab14c3e9ac3309a4de55cf418a1d48cf5c7 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 03:11:53 +0900 Subject: [PATCH 18/21] Add http request method validation. now update action require POST method. --- app/src/Web/Controller/Admin/SystemUpdateController.php | 5 ++--- app/twig_templates/admin/system_update/index.twig | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/app/src/Web/Controller/Admin/SystemUpdateController.php b/app/src/Web/Controller/Admin/SystemUpdateController.php index d6b3dccf..370e275d 100644 --- a/app/src/Web/Controller/Admin/SystemUpdateController.php +++ b/app/src/Web/Controller/Admin/SystemUpdateController.php @@ -10,10 +10,10 @@ class SystemUpdateController extends AdminController { - /** @noinspection PhpUnusedParameterInspection */ public function index(Request $request): string { // TODO unit test + if (!$request->isGet()) return $this->error400(); $release_list = SystemUpdateModel::getReleaseInfo(); $this->set('release_list', $release_list); @@ -25,6 +25,7 @@ public function index(Request $request): string public function update(Request $request): string { // TODO unit test + if (!$request->isPost()) return $this->error400(); if (!$request->isValidSig()) { $this->setWarnMessage(__("Request failed: invalid sig, please retry.")); @@ -54,6 +55,4 @@ public function update(Request $request): string throw new LogicException("must be redirect"); } - } - diff --git a/app/twig_templates/admin/system_update/index.twig b/app/twig_templates/admin/system_update/index.twig index 745023cd..05e2672e 100644 --- a/app/twig_templates/admin/system_update/index.twig +++ b/app/twig_templates/admin/system_update/index.twig @@ -63,7 +63,7 @@

    {{ release.body|nl2br }}

    -
    From f2004651aab56366628cabf436497d7cf0d826d8 Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 03:12:16 +0900 Subject: [PATCH 19/21] Add http request method validation. fix broken test. --- app/src/Web/Controller/Admin/TagsController.php | 7 ++++--- app/twig_templates/admin/tags/index.twig | 1 + tests/App/Controller/Admin/Tags/EditTest.php | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/app/src/Web/Controller/Admin/TagsController.php b/app/src/Web/Controller/Admin/TagsController.php index ef58c982..5d77c711 100644 --- a/app/src/Web/Controller/Admin/TagsController.php +++ b/app/src/Web/Controller/Admin/TagsController.php @@ -10,7 +10,6 @@ class TagsController extends AdminController { - /** * 一覧表示 * @param Request $request @@ -18,6 +17,8 @@ class TagsController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + $tags_model = new TagsModel(); $blog_id = $this->getBlogIdFromSession(); @@ -102,6 +103,7 @@ public function edit(Request $request): string } // 更新処理 + if (!$request->isPost()) return $this->error400(); $tag_request = $request->get('tag'); $tag_request['id'] = $id; $tag_request['blog_id'] = $blog_id; @@ -132,6 +134,7 @@ public function edit(Request $request): string */ public function delete(Request $request) { + // TODO POST化 if ($request->isValidSig()) { // 削除処理 if (Model::load('Tags')->deleteByIdsAndBlogId($request->get('id'), $this->getBlogIdFromSession())) { @@ -148,6 +151,4 @@ public function delete(Request $request) } $this->redirectBack($request, array('action' => 'index')); } - } - diff --git a/app/twig_templates/admin/tags/index.twig b/app/twig_templates/admin/tags/index.twig index 4a8e793b..d42ee30c 100644 --- a/app/twig_templates/admin/tags/index.twig +++ b/app/twig_templates/admin/tags/index.twig @@ -43,6 +43,7 @@ {{ tag.name }} {{ tag.count }} {{ _('Edit') }} + {# TODO deleteをPOST化 #} {{ _('Delete') }} {% endfor %} diff --git a/tests/App/Controller/Admin/Tags/EditTest.php b/tests/App/Controller/Admin/Tags/EditTest.php index 5f9e696a..52bafd4b 100644 --- a/tests/App/Controller/Admin/Tags/EditTest.php +++ b/tests/App/Controller/Admin/Tags/EditTest.php @@ -55,7 +55,7 @@ public function testUpdate(): void 'tag' => ['name' => "testtagname"] ]; - $r = $this->reqGetBeRedirect("/admin/tags/edit", $request_data); + $r = $this->reqPostBeRedirect("/admin/tags/edit", $request_data); $this->assertEquals('/admin/tags/index', $r->redirectUrl); $c = $this->reqGet("/admin/tags/index"); From 178842b5125c6859e4cb97c3ba62ceb1d8f7c16c Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 03:13:13 +0900 Subject: [PATCH 20/21] Add http request method validation. --- app/src/Web/Controller/Admin/UsersController.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/src/Web/Controller/Admin/UsersController.php b/app/src/Web/Controller/Admin/UsersController.php index 35d75b6b..501cde8f 100644 --- a/app/src/Web/Controller/Admin/UsersController.php +++ b/app/src/Web/Controller/Admin/UsersController.php @@ -19,6 +19,8 @@ class UsersController extends AdminController */ public function index(Request $request): string { + if (!$request->isGet()) return $this->error400(); + if (!$this->isAdmin()) { return $this->error404(); } @@ -63,6 +65,7 @@ public function register(Request $request) $blogs_model = Model::load('Blogs'); // ユーザーとブログの新規登録処理 + if (!$request->isPost()) return $this->error400(); $errors = array(); $errors['user'] = $users_model->registerValidate($request->get('user'), $user_data, array('login_id', 'password')); $errors['blog'] = $blogs_model->validate($request->get('blog'), $blog_data, array('id', 'name', 'nickname')); @@ -106,6 +109,7 @@ public function edit(Request $request): string } // 更新処理 + if (!$request->isPost()) return $this->error400(); $errors = []; $white_list = ['password', 'login_blog_id']; $errors['user'] = $users_model->updateValidate($request->get('user'), $data_user, $white_list); @@ -139,6 +143,7 @@ public function withdrawal(Request $request): string } // 削除処理 + if (!$request->isPost()) return $this->error400(); Model::load('Users')->deleteById($this->getUserId()); $this->setInfoMessage(__('Was completed withdrawal')); if ($this->isLogin()) { From 9561159377f0d85133af0298e6cbc71bfb1cfb0d Mon Sep 17 00:00:00 2001 From: uzulla Date: Mon, 7 Jun 2021 03:13:48 +0900 Subject: [PATCH 21/21] Add http request method validation. --- app/src/Web/Controller/Admin/PasswordResetController.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/src/Web/Controller/Admin/PasswordResetController.php b/app/src/Web/Controller/Admin/PasswordResetController.php index 7ba89221..83e9f66d 100644 --- a/app/src/Web/Controller/Admin/PasswordResetController.php +++ b/app/src/Web/Controller/Admin/PasswordResetController.php @@ -14,6 +14,8 @@ class PasswordResetController extends AdminController /** @noinspection PhpUnused */ public function requestForm(Request $request): string { + if (!$request->isGet()) return $this->error400(); + // 未ログインだとSigが生成されていないため、ここで生成する。 // 複数個ウインドウを開くとsigがエラーになるが、ありえないかと思われる。 $request->generateNewSig();