/** * Public constructor of the Controller class * * @param array $config Optional configuration parameters */ public function __construct($config = array()) { // No JInputJSON in J2.5 $raw = file_get_contents('php://input'); $data = json_decode($raw, true); if ($data && array_key_exists('ajax', $data) && $data['ajax'] === 1) { $input = new F0FInput(); $param = array_merge($input->getData(), $data); $config['input'] = $param; } parent::__construct($config); }
/** * Common method to handle apply and save tasks * * @return boolean Returns true on success */ private final function applySave() { // Load the model $model = $this->getThisModel(); if (!$model->getId()) { $model->setIDsFromRequest(); } $id = $model->getId(); $data = $this->input->getData(); if (!$this->onBeforeApplySave($data)) { return false; } // Set the layout to form, if it's not set in the URL if (is_null($this->layout)) { $this->layout = 'form'; } // Do I have a form? $model->setState('form_name', 'form.' . $this->layout); $status = $model->save($data); if ($status && $id != 0) { F0FPlatform::getInstance()->setHeader('Status', '201 Created', true); // Try to check-in the record if it's not a new one $status = $model->checkin(); } if ($status) { $status = $this->onAfterApplySave(); } $this->input->set('id', $model->getId()); if (!$status) { // Redirect on error $id = $model->getId(); if ($customURL = $this->input->get('returnurl', '', 'string')) { $customURL = base64_decode($customURL); } if (!empty($customURL)) { $url = $customURL; } elseif ($id != 0) { $url = 'index.php?option=' . $this->component . '&view=' . $this->view . '&task=edit&id=' . $id . $this->getItemidURLSuffix(); } else { $url = 'index.php?option=' . $this->component . '&view=' . $this->view . '&task=add' . $this->getItemidURLSuffix(); } $this->setRedirect($url, '<li>' . implode('</li><li>', $model->getErrors()) . '</li>', 'error'); return false; } else { $session = JFactory::getSession(); $session->set($model->getHash() . 'savedata', null); return true; } }
/** * Filters visitor access using WAF blacklist rules */ public function onAfterInitialise() { $db = $this->db; $method = array($db->q(''), $db->q(strtoupper($_SERVER['REQUEST_METHOD']))); $option = array($db->q('')); $view = array($db->q('')); $task = array($db->q('')); if ($this->input->getCmd('option', '')) { $option[] = $db->q($this->input->getCmd('option', '')); } if ($this->input->getCmd('view', '')) { $view[] = $db->q($this->input->getCmd('view', '')); } if ($this->input->getCmd('task', '')) { $task[] = $db->q($this->input->getCmd('task', '')); } // Let's get the rules for the current input values or the empty ones $query = $db->getQuery(true)->select('*')->from($db->qn('#__admintools_wafblacklists'))->where($db->qn('verb') . ' IN(' . implode(',', $method) . ')')->where($db->qn('option') . ' IN(' . implode(',', $option) . ')')->where($db->qn('view') . ' IN(' . implode(',', $view) . ')')->where($db->qn('task') . ' IN(' . implode(',', $task) . ')')->group($db->qn('query'))->order($db->qn('query') . ' ASC'); try { $rules = $db->setQuery($query)->loadObjectList(); } catch (Exception $e) { return; } if (!$rules) { return; } // I can't use JInput since it will fetch data from cookies, too. $get = new F0FInput('get'); $post = new F0FInput('post'); // Ok, let's analyze all the matching rules $block = false; foreach ($rules as $rule) { // Empty query => block everything for this VERB/OPTION/VIEW/TASK combination if (!$rule->query) { $block = true; break; } // I have to run two different loops, otherwise I could mask with a valid GET request a malicious POST one // First of all let's check the GET request foreach ($get->getData() as $key => $value) { $found = false; if ($rule->query_type == 'P') { if (stripos($key, $rule->query) !== false) { $found = true; } } elseif ($rule->query_type == 'R') { if (@preg_match($rule->query, $key)) { $found = true; } } else { if ($key == $rule->query) { $found = true; } } // Ok, the query parameter is set, do I have any specific rule about the content? if ($found) { // Empty => always block, no matter what if (!$rule->query_content) { $block = true; break 2; } // I have to run a regex on the value if (@preg_match($rule->query_content, $value)) { $block = true; break 2; } } } // Now it's time to check the POST request foreach ($post->getData() as $key => $value) { $found = false; if ($rule->query_type == 'P') { if (stripos($key, $rule->query) !== false) { $found = true; } } elseif ($rule->query_type == 'R') { if (@preg_match($rule->query, $key)) { $found = true; } } else { if ($key == $rule->query) { $found = true; } } // Ok, the query parameter is set, do I have any specific rule about the content? if ($found) { // Empty => always block, no matter what if (!$rule->query_content) { $block = true; break 2; } // I have to run a regex on the value if (@preg_match($rule->query_content, $value)) { $block = true; break 2; } } } } if ($block) { $this->exceptionsHandler->blockRequest('wafblacklist'); } }