From 934d29f4cfc4cb88e0ef7cc38f19870a6a4ccf9b Mon Sep 17 00:00:00 2001 From: Ro Date: Tue, 14 Sep 2021 12:47:57 -0700 Subject: [PATCH] added field check for page edits to make sure unnecessary fields are not being added --- brain/api/v1/PagesAPI.inc.php | 36 ++++++++++++++++++++++++++++++++++- brain/data/Book.inc.php | 4 +++- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/brain/api/v1/PagesAPI.inc.php b/brain/api/v1/PagesAPI.inc.php index 4ea4a30..79bbc8b 100644 --- a/brain/api/v1/PagesAPI.inc.php +++ b/brain/api/v1/PagesAPI.inc.php @@ -105,6 +105,7 @@ class PagesAPI case "create": case "write": $body = $request->getParsedBody(); + $passed = true; if (!isset($body["form_token"])) { $result = [ "message" => "No form token. Not good, sport.", @@ -113,7 +114,40 @@ class PagesAPI } else { if ($body["form_token"] == Session::get("form_token")) { //TODO: Verify form fields - $result = (new Book("../content/pages"))->editPage($task, $request); + $keys = [ + "id", + "uuid", + "layout", + "current_title", + "content", + "title", + "created", + "slug", + "tags", + "menu", + "featured", + "published", + "form_token", + "feature_image", + ]; + + foreach ($body as $key => $item) { + if (!in_array($key, $keys)) { + //found unnecessary key, so reject submission + $passed = false; + } + } + if ($passed) { + $result = (new Book("../content/pages"))->editPage( + $task, + $request + ); + } else { + $result = [ + "message" => "Form token, auth failed. Uh oh.", + "type" => "TASK_FORM_AUTH", + ]; + } } else { $result = [ "message" => "Form token, auth failed. Uh oh.", diff --git a/brain/data/Book.inc.php b/brain/data/Book.inc.php index ff3e578..fe40cc3 100644 --- a/brain/data/Book.inc.php +++ b/brain/data/Book.inc.php @@ -148,7 +148,9 @@ class Book "id" => $uuid, ]; - //**just testing to see why indexing isn't working ** + //TODO: When form submission is successful, make new form token + $form_token = md5(uniqid(microtime(), true)); + Session::set("form_token", $form_token); //once saved, update menu $body["path"] = $path;