DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-03-05 20:52:15 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #10478 from snipe/fixes/whitelist_modal_views

Browse source 
Added allow list to modal view options
This commit is contained in:
snipe 2021-12-30 18:29:30 -08:00 committed by GitHub
parent 950a23b0f4 c6ce928567
commit 39a5b6b426
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
app/Http/Controllers/ModalController.php
View file

@ -6,7 +6,31 @@ use App\Helpers\Helper;
class ModalController extends Controller class ModalController extends Controller
{ {
/**
* Load the modal views after confirming they are in the allowed_types array.
* The allowed types away just prevents shithead skiddies from fuzzing the urls
* with automated scripts and junking up the logs. - snipe
*/
function show ($type, $itemId = null) { function show ($type, $itemId = null) {
$allowed_types = [
'category',
'kit-model',
'kit-license',
'kit-consumable',
'kit-accessory',
'location',
'manufacturer',
'model',
'statuslabel',
'supplier',
'upload-file',
'user',
];
if (in_array($type, $allowed_types)) {
$view = view("modals.${type}"); $view = view("modals.${type}");
if ($type == "statuslabel") { if ($type == "statuslabel") {
@ -17,4 +41,8 @@ class ModalController extends Controller
} }
return $view; return $view;
} }
abort(404,'Page not found');
}
} }