Fixes #4292 added a white list for ajax views

2 files changed, 39 insertions, 0 deletions

diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index b044d230f..9035d95f2 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -1777,6 +1777,12 @@ function elgg_ajax_page_handler($page) {
 		unset($page[0]);
 		$view = implode('/', $page);
 
+		$allowed_views = elgg_get_config('allowed_ajax_views');
+		if (!array_key_exists($view, $allowed_views)) {
+			header('HTTP/1.1 403 Forbidden');
+			exit;
+		}
+
 		// pull out GET parameters through filter
 		$vars = array();
 		foreach ($_GET as $name => $value) {
diff --git a/engine/lib/views.php b/engine/lib/views.php
index 85319b2d7..e59edac96 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -196,6 +196,37 @@ function elgg_does_viewtype_fallback($viewtype) {
 	return FALSE;
 }
 
+/**
+ * Register a view to be available for ajax calls
+ *
+ * @param string $view The view name
+ * @return void
+ * @since 1.8.3
+ */
+function elgg_register_ajax_view($view) {
+	global $CONFIG;
+
+	if (!isset($CONFIG->allowed_ajax_views)) {
+		$CONFIG->allowed_ajax_views = array();
+	}
+
+	$CONFIG->allowed_ajax_views[$view] = true;
+}
+
+/**
+ * Unregister a view for ajax calls
+ * 
+ * @param string $view The view name
+ * @return void
+ * @since 1.8.3
+ */
+function elgg_unregister_ajax_view($view) {
+	global $CONFIG;
+
+	if (isset($CONFIG->allowed_ajax_views[$view])) {
+		unset($CONFIG->allowed_ajax_views[$view]);
+	}
+}
 
 /**
  * Returns the file location for a view.
@@ -1610,6 +1641,8 @@ function elgg_views_boot() {
 	elgg_register_css('elgg', $elgg_css_url);
 	elgg_load_css('elgg');
 
+	elgg_register_ajax_view('js/languages');
+
 	elgg_register_plugin_hook_handler('output:before', 'layout', 'elgg_views_add_rss_link');
 
 	// discover the built-in view types