diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2012-07-21 15:42:52 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2012-07-21 15:42:52 -0700 |
| commit | 8524fba15a4cbabe1d6c4e60bdfe9e766eca1fdc (patch) | |
| tree | 28af1599c0375e4da909d0b4241cf7b3ae0bffa8 /modules | |
| parent | 27e253401678b28527444c7e4e0faa5afc95d708 (diff) | |
Sanitize the module name and don't allow storing values for illegal
module names. Fixes #1898.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/gallery/controllers/admin_advanced_settings.php | 30 | ||||
| -rw-r--r-- | modules/gallery/views/admin_advanced_settings.html.php | 2 |
2 files changed, 18 insertions, 14 deletions
diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php index 1ce47529..752a2e81 100644 --- a/modules/gallery/controllers/admin_advanced_settings.php +++ b/modules/gallery/controllers/admin_advanced_settings.php @@ -30,24 +30,28 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller { } public function edit($module_name, $var_name) { - $value = module::get_var($module_name, $var_name); - $form = new Forge("admin/advanced_settings/save/$module_name/$var_name", "", "post"); - $group = $form->group("edit_var")->label(t("Edit setting")); - $group->input("module_name")->label(t("Module"))->value($module_name)->disabled(1); - $group->input("var_name")->label(t("Setting"))->value($var_name)->disabled(1); - $group->textarea("value")->label(t("Value"))->value($value); - $group->submit("")->value(t("Save")); - print $form; + if (module::is_installed($module_name)) { + $value = module::get_var($module_name, $var_name); + $form = new Forge("admin/advanced_settings/save/$module_name/$var_name", "", "post"); + $group = $form->group("edit_var")->label(t("Edit setting")); + $group->input("module_name")->label(t("Module"))->value($module_name)->disabled(1); + $group->input("var_name")->label(t("Setting"))->value($var_name)->disabled(1); + $group->textarea("value")->label(t("Value"))->value($value); + $group->submit("")->value(t("Save")); + print $form; + } } public function save($module_name, $var_name) { access::verify_csrf(); - module::set_var($module_name, $var_name, Input::instance()->post("value")); - message::success( - t("Saved value for %var (%module_name)", - array("var" => $var_name, "module_name" => $module_name))); + if (module::is_installed($module_name)) { + module::set_var($module_name, $var_name, Input::instance()->post("value")); + message::success( + t("Saved value for %var (%module_name)", + array("var" => $var_name, "module_name" => $module_name))); - json::reply(array("result" => "success")); + json::reply(array("result" => "success")); + } } } diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php index 8d21d890..6745f0df 100644 --- a/modules/gallery/views/admin_advanced_settings.html.php +++ b/modules/gallery/views/admin_advanced_settings.html.php @@ -19,7 +19,7 @@ </tr> <? foreach ($vars as $var): ?> <tr class="setting-row <?= text::alternate("g-odd", "g-even") ?>"> - <td> <?= $var->module_name ?> </td> + <td> <?= html::clean($var->module_name) ?> </td> <td> <?= html::clean($var->name) ?> </td> <td> <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>" |