/**
* Public constructor of the Controller class
*
* @param array $config Optional configuration parameters
*/
public function __construct($config = array())
{
// No JInputJSON in J2.5
$raw = file_get_contents('php://input');
$data = json_decode($raw, true);
if ($data && array_key_exists('ajax', $data) && $data['ajax'] === 1) {
$input = new F0FInput();
$param = array_merge($input->getData(), $data);
$config['input'] = $param;
}
parent::__construct($config);
}
/**
* Common method to handle apply and save tasks
*
* @return boolean Returns true on success
*/
private final function applySave()
{
// Load the model
$model = $this->getThisModel();
if (!$model->getId()) {
$model->setIDsFromRequest();
}
$id = $model->getId();
$data = $this->input->getData();
if (!$this->onBeforeApplySave($data)) {
return false;
}
// Set the layout to form, if it's not set in the URL
if (is_null($this->layout)) {
$this->layout = 'form';
}
// Do I have a form?
$model->setState('form_name', 'form.' . $this->layout);
$status = $model->save($data);
if ($status && $id != 0) {
F0FPlatform::getInstance()->setHeader('Status', '201 Created', true);
// Try to check-in the record if it's not a new one
$status = $model->checkin();
}
if ($status) {
$status = $this->onAfterApplySave();
}
$this->input->set('id', $model->getId());
if (!$status) {
// Redirect on error
$id = $model->getId();
if ($customURL = $this->input->get('returnurl', '', 'string')) {
$customURL = base64_decode($customURL);
}
if (!empty($customURL)) {
$url = $customURL;
} elseif ($id != 0) {
$url = 'index.php?option=' . $this->component . '&view=' . $this->view . '&task=edit&id=' . $id . $this->getItemidURLSuffix();
} else {
$url = 'index.php?option=' . $this->component . '&view=' . $this->view . '&task=add' . $this->getItemidURLSuffix();
}
$this->setRedirect($url, '<li>' . implode('</li><li>', $model->getErrors()) . '</li>', 'error');
return false;
} else {
$session = JFactory::getSession();
$session->set($model->getHash() . 'savedata', null);
return true;
}
}
/**
* Filters visitor access using WAF blacklist rules
*/
public function onAfterInitialise()
{
$db = $this->db;
$method = array($db->q(''), $db->q(strtoupper($_SERVER['REQUEST_METHOD'])));
$option = array($db->q(''));
$view = array($db->q(''));
$task = array($db->q(''));
if ($this->input->getCmd('option', '')) {
$option[] = $db->q($this->input->getCmd('option', ''));
}
if ($this->input->getCmd('view', '')) {
$view[] = $db->q($this->input->getCmd('view', ''));
}
if ($this->input->getCmd('task', '')) {
$task[] = $db->q($this->input->getCmd('task', ''));
}
// Let's get the rules for the current input values or the empty ones
$query = $db->getQuery(true)->select('*')->from($db->qn('#__admintools_wafblacklists'))->where($db->qn('verb') . ' IN(' . implode(',', $method) . ')')->where($db->qn('option') . ' IN(' . implode(',', $option) . ')')->where($db->qn('view') . ' IN(' . implode(',', $view) . ')')->where($db->qn('task') . ' IN(' . implode(',', $task) . ')')->group($db->qn('query'))->order($db->qn('query') . ' ASC');
try {
$rules = $db->setQuery($query)->loadObjectList();
} catch (Exception $e) {
return;
}
if (!$rules) {
return;
}
// I can't use JInput since it will fetch data from cookies, too.
$get = new F0FInput('get');
$post = new F0FInput('post');
// Ok, let's analyze all the matching rules
$block = false;
foreach ($rules as $rule) {
// Empty query => block everything for this VERB/OPTION/VIEW/TASK combination
if (!$rule->query) {
$block = true;
break;
}
// I have to run two different loops, otherwise I could mask with a valid GET request a malicious POST one
// First of all let's check the GET request
foreach ($get->getData() as $key => $value) {
$found = false;
if ($rule->query_type == 'P') {
if (stripos($key, $rule->query) !== false) {
$found = true;
}
} elseif ($rule->query_type == 'R') {
if (@preg_match($rule->query, $key)) {
$found = true;
}
} else {
if ($key == $rule->query) {
$found = true;
}
}
// Ok, the query parameter is set, do I have any specific rule about the content?
if ($found) {
// Empty => always block, no matter what
if (!$rule->query_content) {
$block = true;
break 2;
}
// I have to run a regex on the value
if (@preg_match($rule->query_content, $value)) {
$block = true;
break 2;
}
}
}
// Now it's time to check the POST request
foreach ($post->getData() as $key => $value) {
$found = false;
if ($rule->query_type == 'P') {
if (stripos($key, $rule->query) !== false) {
$found = true;
}
} elseif ($rule->query_type == 'R') {
if (@preg_match($rule->query, $key)) {
$found = true;
}
} else {
if ($key == $rule->query) {
$found = true;
}
}
// Ok, the query parameter is set, do I have any specific rule about the content?
if ($found) {
// Empty => always block, no matter what
if (!$rule->query_content) {
$block = true;
break 2;
}
// I have to run a regex on the value
if (@preg_match($rule->query_content, $value)) {
$block = true;
break 2;
}
}
}
}
if ($block) {
$this->exceptionsHandler->blockRequest('wafblacklist');
}
}
