harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better handling of mimetype security

Browse Source
This commit is contained in:
Mario Vavti
2017-03-15 12:38:33 +01:00
parent bdfdd23b36
commit 62c921815f
2 changed files with 6 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Zotlabs/Module/Editwebpage.php
View File

@@ -130,8 +130,6 @@ class Editwebpage extends \Zotlabs\Web\Controller {
$layout = $itm[0]['layout_mid'];
$tpl = get_markup_template("jot.tpl");
$rp = 'webpages/' . $which;
$x = array(

22
Zotlabs/Module/Item.php
View File

@@ -480,22 +480,12 @@ class Item extends \Zotlabs\Web\Controller {
$execflag = false;
if($mimetype !== 'text/bbcode') {
$z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
intval($profile_uid)
);
if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
if($uid && (get_account_id() == $z[0]['account_id'])) {
$execflag = true;
}
else {
notice( t('Executable content type not permitted to this channel.') . EOL);
if($api_source)
return ( [ 'success' => false, 'message' => 'forbidden content type' ] );
if(x($_REQUEST,'return'))
goaway(z_root() . "/" . $return_path );
killme();
}
$z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
intval($profile_uid)
);
if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
if($uid && (get_account_id() == $z[0]['account_id'])) {
$execflag = true;
}
}