From faa99d43ebe1e48fb2a1e866313a1082e2798199 Mon Sep 17 00:00:00 2001
From: printempw <h@prinzeugen.net>
Date: Thu, 12 May 2016 22:01:38 +0800
Subject: [PATCH] rewrited implementation of showing msg to prevent XSS attack,
 close #14

---
 admin/adduser.php                |  4 ++--
 admin/admin_ajax.php             |  4 ++--
 admin/customize.php              |  4 ++--
 admin/index.php                  |  4 ++--
 admin/manage.php                 |  4 ++--
 admin/options.php                |  4 ++--
 admin/update.php                 |  4 ++--
 index.php                        | 10 ++++++----
 libraries/Utils.class.php        |  6 ++++--
 libraries/session.inc.php        |  6 +++---
 setup/install.php                |  4 ++--
 templates/admin/download.tpl.php |  2 +-
 12 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/admin/adduser.php b/admin/adduser.php
index 33e31f58..b32f72a5 100644
--- a/admin/adduser.php
+++ b/admin/adduser.php
@@ -3,10 +3,10 @@
  * @Author: printempw
  * @Date:   2016-03-19 21:00:58
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 20:58:33
+ * @Last Modified time: 2016-05-12 21:53:48
  */
 require "../libraries/session.inc.php";
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 View::show('admin/header', array('page_title' => "添加用户"));
 $db = new Database\Database('users');
 ?>
diff --git a/admin/admin_ajax.php b/admin/admin_ajax.php
index 5956c72e..cb512e12 100644
--- a/admin/admin_ajax.php
+++ b/admin/admin_ajax.php
@@ -3,12 +3,12 @@
  * @Author: printempw
  * @Date:   2016-02-04 13:53:55
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 08:26:15
+ * @Last Modified time: 2016-05-12 21:53:48
  */
 require "../libraries/session.inc.php";
 
 // Check token, won't allow non-admin user to access
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 
 /*
  * No protection here,
diff --git a/admin/customize.php b/admin/customize.php
index 597169a5..c4ec1a9c 100644
--- a/admin/customize.php
+++ b/admin/customize.php
@@ -3,10 +3,10 @@
  * @Author: printempw
  * @Date:   2016-03-19 14:34:21
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 20:58:26
+ * @Last Modified time: 2016-05-12 21:53:48
  */
 require "../libraries/session.inc.php";
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 $data['style'] = <<< 'EOT'
 <link rel="stylesheet" href="../assets/libs/AdminLTE/dist/css/skins/_all-skins.min.css">
 <style>
diff --git a/admin/index.php b/admin/index.php
index 9fe407c3..6b27e92c 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -3,10 +3,10 @@
  * @Author: printempw
  * @Date:   2016-02-03 14:39:50
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 20:58:22
+ * @Last Modified time: 2016-05-12 21:53:49
  */
 require "../libraries/session.inc.php";
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 View::show('admin/header', array('page_title' => "仪表盘"));
 $db = new Database\Database('users');
 ?>
diff --git a/admin/manage.php b/admin/manage.php
index 9a45c1dd..41d8d820 100644
--- a/admin/manage.php
+++ b/admin/manage.php
@@ -3,10 +3,10 @@
  * @Author: printempw
  * @Date:   2016-03-06 14:19:20
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 20:58:13
+ * @Last Modified time: 2016-05-12 21:53:49
  */
 require "../libraries/session.inc.php";
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 View::show('admin/header', array('page_title' => "用户管理"));
 $db = new Database\Database('users');
 
diff --git a/admin/options.php b/admin/options.php
index acb6a323..1849ba5b 100644
--- a/admin/options.php
+++ b/admin/options.php
@@ -3,10 +3,10 @@
  * @Author: printempw
  * @Date:   2016-03-18 22:50:25
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-04 08:36:45
+ * @Last Modified time: 2016-05-12 21:53:49
  */
 require "../libraries/session.inc.php";
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 View::show('admin/header', array('page_title' => "站点配置"));
 $db = new Database\Database('users');
 ?>
diff --git a/admin/update.php b/admin/update.php
index 5bd2a0f3..e6bc749a 100644
--- a/admin/update.php
+++ b/admin/update.php
@@ -3,10 +3,10 @@
  * @Author: printempw
  * @Date:   2016-03-27 15:03:40
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 21:05:51
+ * @Last Modified time: 2016-05-12 21:53:49
  */
 require "../libraries/session.inc.php";
-if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
+if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
 $action = isset($_GET['action']) ? $_GET['action'] : "";
 
 $updater = new Updater(Option::get('current_version'));
diff --git a/index.php b/index.php
index ee8ab0d6..7a8ef307 100755
--- a/index.php
+++ b/index.php
@@ -3,7 +3,7 @@
  * @Author: printempw
  * @Date:   2016-01-17 13:55:20
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-11 17:01:15
+ * @Last Modified time: 2016-05-12 21:57:53
  */
 session_start();
 $dir = dirname(__FILE__);
@@ -139,8 +139,10 @@ if (isset($_COOKIE['uname']) && isset($_COOKIE['token'])) {
 <script type="text/javascript" src="./assets/js/index.utils.js"></script>
 <script><?php echo Option::get('custom_js'); ?></script>
 
-<?php if (isset($_GET['msg'])): ?>
-<script type="text/javascript"> showAlert("<?php echo $_GET['msg']; ?>"); </script>
-<?php endif; ?>
+<?php
+if (isset($_SESSION['msg'])) {
+    echo "<script type='text/javascript'> showAlert('".htmlspecialchars($_SESSION['msg'])."'); </script>";
+    unset($_SESSION['msg']);
+} ?>
 </body>
 </html>
diff --git a/libraries/Utils.class.php b/libraries/Utils.class.php
index 5c0bbee4..90985283 100644
--- a/libraries/Utils.class.php
+++ b/libraries/Utils.class.php
@@ -3,7 +3,7 @@
  * @Author: printempw
  * @Date:   2016-01-16 23:01:33
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 22:14:39
+ * @Last Modified time: 2016-05-12 21:54:14
  */
 
 class Utils
@@ -227,7 +227,9 @@ class Utils
      * @param  string $url
      * @return null
      */
-    public static function redirect($url, $use_js = false) {
+    public static function redirect($url, $msg = "", $use_js = false) {
+        if ($msg != "") $_SESSION['msg'] = $msg;
+
         if ($use_js)
             echo "<script>window.location = '$url';</script>";
         else
diff --git a/libraries/session.inc.php b/libraries/session.inc.php
index 606fed3c..82c6bda2 100644
--- a/libraries/session.inc.php
+++ b/libraries/session.inc.php
@@ -3,7 +3,7 @@
  * @Author: printempw
  * @Date:   2016-02-06 23:18:49
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 07:55:52
+ * @Last Modified time: 2016-05-12 21:54:47
  */
 session_start();
 $dir = dirname(dirname(__FILE__));
@@ -18,8 +18,8 @@ if(isset($_COOKIE['uname']) && isset($_COOKIE['token'])) {
 if (isset($_SESSION['uname'])) {
     $user = new User($_SESSION['uname']);
     if ($_SESSION['token'] != $user->getToken()) {
-        Utils::redirect('../index.php?msg=无效的 token，请重新登录。');
+        Utils::redirect('../index.php', '无效的 token，请重新登录。');
     }
 } else {
-    Utils::redirect('../index.php?msg=非法访问，请先登录。');
+    Utils::redirect('../index.php', '非法访问，请先登录。');
 }
diff --git a/setup/install.php b/setup/install.php
index 9c5a257f..277be49c 100644
--- a/setup/install.php
+++ b/setup/install.php
@@ -3,7 +3,7 @@
  * @Author: printempw
  * @Date:   2016-01-16 23:01:33
  * @Last Modified by:   printempw
- * @Last Modified time: 2016-04-03 17:14:26
+ * @Last Modified time: 2016-05-12 21:57:21
  *
  * Blessing Skin Server Installer
  */
@@ -89,7 +89,7 @@ case 1: ?>
             </td>
         </tr>
     </table>
-<?php if (isset($_GET['msg'])) echo "<div class='alert alert-warning' role='alert'>".$_GET['msg']."</div>"; ?>
+<?php if (isset($_GET['msg'])) echo "<div class='alert alert-warning' role='alert'>".htmlspecialchars($_GET['msg'])."</div>"; ?>
 <p class="step"><input type="submit" name="Submit" id="submit" class="button button-large" value="开始安装"  /></p>
 </form>
 <?php break;
diff --git a/templates/admin/download.tpl.php b/templates/admin/download.tpl.php
index e717df34..d14857f5 100644
--- a/templates/admin/download.tpl.php
+++ b/templates/admin/download.tpl.php
@@ -49,7 +49,7 @@
                     $_SESSION['downloaded_version'] = $updater->latest_version;
 
                 } else {
-                    Utils::redirect('update.php', true);
+                    Utils::redirect('update.php', '', true);
                 } ?>
             </div><!-- /.box-body -->
             <div class="box-footer">