Stafett-for-livet/web
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Mitigate vulnerability

Browse Source
This commit is contained in:
William 2022-04-05 20:28:21 +00:00
parent 32692782fb
commit 33d78385ce
1 changed files with 2 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/lib/App/Core/AccessControl.php
View File

@ -19,18 +19,11 @@ class AccessControl
{ {
$this->app = $app; $this->app = $app;
/**
* WARNING WARNING WARNING:
*
* Never use an asterisk without putting anything before it like this "*".
* An attacker could leverage this by putting a forward slash behind a
* protected page like this "protected-page.php/pwned!" to gain access.
*/
$this->acl = [ $this->acl = [
// routes that need power level 1 and up // routes that need power level 1 and up
[ [
"routes" => [ "routes" => [
"race/simulator.php*", "race/simulator.php",
"race/configure/*" "race/configure/*"
], ],
"catcher" => [ "catcher" => [
@ -50,7 +43,7 @@ class AccessControl
]; ];
$this->currentPage = substr( $this->currentPage = substr(
$_SERVER["PHP_SELF"], $_SERVER["SCRIPT_NAME"],
strlen($this->app->config["root_url"]) strlen($this->app->config["root_url"])
); );