ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Permalink security fix

Browse source
This commit is contained in:
Marcin Kurczewski 2013-10-13 13:38:24 +02:00
parent e33ec7abe7
commit 7c62293b76
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/Controllers/PostController.php
View file

@ -8,9 +8,9 @@ class PostController
$callback(); $callback();
} }
private static function locatePost($key) private static function locatePost($key, $disallowNumeric = false)
{ {
if (is_numeric($key)) if (is_numeric($key) and !$disallowNumeric)
{ {
$post = R::findOne('post', 'id = ?', [$key]); $post = R::findOne('post', 'id = ?', [$key]);
if (!$post) if (!$post)
@ -720,7 +720,7 @@ class PostController
public function retrieveAction($name) public function retrieveAction($name)
{ {
$this->context->layoutName = 'layout-file'; $this->context->layoutName = 'layout-file';
$post = self::locatePost($name); $post = self::locatePost($name, true);
R::preload($post, ['tag']); R::preload($post, ['tag']);
PrivilegesHelper::confirmWithException($this->context->user, Privilege::RetrievePost); PrivilegesHelper::confirmWithException($this->context->user, Privilege::RetrievePost);