aboutsummaryrefslogtreecommitdiff
path: root/engine
diff options
context:
space:
mode:
authorcash <cash.costello@gmail.com>2012-01-11 22:39:59 -0500
committercash <cash.costello@gmail.com>2012-01-11 22:39:59 -0500
commit0c1ee36d6aa220376537324d427741861e00138a (patch)
tree8d7772fa484ce27ea1e9e69341c415e8b3efdccc /engine
parenta3f0353600e749a16abbdab3cbc75b3469d6fd69 (diff)
downloadelgg-0c1ee36d6aa220376537324d427741861e00138a.tar.gz
elgg-0c1ee36d6aa220376537324d427741861e00138a.tar.bz2
Fixes #4292 added a white list for ajax views
Diffstat (limited to 'engine')
-rw-r--r--engine/lib/elgglib.php6
-rw-r--r--engine/lib/views.php33
2 files changed, 39 insertions, 0 deletions
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index b044d230f..9035d95f2 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -1777,6 +1777,12 @@ function elgg_ajax_page_handler($page) {
unset($page[0]);
$view = implode('/', $page);
+ $allowed_views = elgg_get_config('allowed_ajax_views');
+ if (!array_key_exists($view, $allowed_views)) {
+ header('HTTP/1.1 403 Forbidden');
+ exit;
+ }
+
// pull out GET parameters through filter
$vars = array();
foreach ($_GET as $name => $value) {
diff --git a/engine/lib/views.php b/engine/lib/views.php
index 85319b2d7..e59edac96 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -196,6 +196,37 @@ function elgg_does_viewtype_fallback($viewtype) {
return FALSE;
}
+/**
+ * Register a view to be available for ajax calls
+ *
+ * @param string $view The view name
+ * @return void
+ * @since 1.8.3
+ */
+function elgg_register_ajax_view($view) {
+ global $CONFIG;
+
+ if (!isset($CONFIG->allowed_ajax_views)) {
+ $CONFIG->allowed_ajax_views = array();
+ }
+
+ $CONFIG->allowed_ajax_views[$view] = true;
+}
+
+/**
+ * Unregister a view for ajax calls
+ *
+ * @param string $view The view name
+ * @return void
+ * @since 1.8.3
+ */
+function elgg_unregister_ajax_view($view) {
+ global $CONFIG;
+
+ if (isset($CONFIG->allowed_ajax_views[$view])) {
+ unset($CONFIG->allowed_ajax_views[$view]);
+ }
+}
/**
* Returns the file location for a view.
@@ -1610,6 +1641,8 @@ function elgg_views_boot() {
elgg_register_css('elgg', $elgg_css_url);
elgg_load_css('elgg');
+ elgg_register_ajax_view('js/languages');
+
elgg_register_plugin_hook_handler('output:before', 'layout', 'elgg_views_add_rss_link');
// discover the built-in view types