From 22f8de74875e5351fd7711f3b7b2b430c98f1c05 Mon Sep 17 00:00:00 2001 From: brettp Date: Tue, 7 Jun 2011 22:58:46 +0000 Subject: Refs #3510, #3418. Merged fix for forwarding after output to trunk. git-svn-id: http://code.elgg.org/elgg/trunk@9141 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/group.php | 5 +++-- engine/lib/sessions.php | 9 +++++++-- languages/en.php | 1 + 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/engine/lib/group.php b/engine/lib/group.php index d78274961..755482b00 100644 --- a/engine/lib/group.php +++ b/engine/lib/group.php @@ -276,8 +276,9 @@ function group_gatekeeper($forward = true) { if ($forward && $allowed == false) { register_error(elgg_echo('membershiprequired')); - forward($url, 'member'); - exit; + if (!forward($url, 'member')) { + throw new SecurityException(elgg_echo('SecurityException:UnexpectedOutputInGatekeeper')); + } } return $allowed; diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index ae42956a9..407bb69c5 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -472,7 +472,10 @@ function gatekeeper() { if (!elgg_is_logged_in()) { $_SESSION['last_forward_from'] = current_page_url(); register_error(elgg_echo('loggedinrequired')); - forward('', 'login'); + + if (!forward('', 'login')) { + throw new SecurityException(elgg_echo('SecurityException:UnexpectedOutputInGatekeeper')); + } } } @@ -487,7 +490,9 @@ function admin_gatekeeper() { if (!elgg_is_admin_logged_in()) { $_SESSION['last_forward_from'] = current_page_url(); register_error(elgg_echo('adminrequired')); - forward('', 'admin'); + if (!forward('', 'admin')) { + throw new SecurityException(elgg_echo('SecurityException:UnexpectedOutputInGatekeeper')); + } } } diff --git a/languages/en.php b/languages/en.php index 83fb66dad..46ac19a34 100644 --- a/languages/en.php +++ b/languages/en.php @@ -170,6 +170,7 @@ $english = array( 'ConfigurationException:NoSiteID' => "No site ID has been specified.", 'SecurityException:APIAccessDenied' => "Sorry, API access has been disabled by the administrator.", 'SecurityException:NoAuthMethods' => "No authentication methods were found that could authenticate this API request.", + 'SecurityException:UnexpectedOutputInGatekeeper' => 'Unexpected output in gatekeeper call. Halting execution for security. Search http://docs.elgg.org/ for more information.', 'InvalidParameterException:APIMethodOrFunctionNotSet' => "Method or function not set in call in expose_method()", 'InvalidParameterException:APIParametersArrayStructure' => "Parameters array structure is incorrect for call to expose method '%s'", 'InvalidParameterException:UnrecognisedHttpMethod' => "Unrecognised http method %s for api method '%s'", -- cgit v1.2.3