Skip to content

Instantly share code, notes, and snippets.

@AgelxNash

AgelxNash/protect_TVsaver.plugin.php

Created March 13, 2013 11:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save AgelxNash/5151389 to your computer and use it in GitHub Desktop.
Save AgelxNash/5151389 to your computer and use it in GitHub Desktop.
Download ZIP
[EVO] Защита от взлома менеджерами через @-операторы в значениях TV параметров
Raw
protect_TVsaver.plugin.php
//<?php
/**
* Protect TV-saver
*
* @category plugin
* @version 0.1
* @license GNU General Public License (GPL), http://www.gnu.org/copyleft/gpl.html
* @internal @events OnBeforeDocFormSave
* @internal @modx_category Manager and Admin
* @author Agel_Nash <Agel_Nash@xaker.ru>
*/
if($modx->Event->name=='OnBeforeDocFormSave'){
if(!function_exists('checkValTV')){
function checkValTV($value){
$flag=false;
if(substr(trim($value),0,1)=='@'){
$val=explode(" ",trim($value),2);
$flag=(in_array($val[0],array('@FILE','@CHUNK','@DOCUMENT','@SELECT','@EVAL','@INHERIT','@DIRECTORY'))) ? $value : false;
}
return $flag;
}
}
foreach($_POST as $key=>$value){
if (substr($key,0,2)=='tv'){
if(is_array($value)){
foreach($value as $item){
if($flag=checkValTV($item)){
break;
}
}
}else{
$flag=checkValTV($value);
}
if($flag){
$modx->logEvent(666,2,"<strong>TV value:</strong> <pre>".var_export($value,true)."</pre>","HACK with @-TV ");
die('HACK?');
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment