1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Fix an issue where Phame could post to the wrong blog

When you `getInt()` an array, PHP decides the array has value `1`. This would
cause us to post to blog #1 incorrectly. I didn't catch this locally because
I happened to be posting to blog #1.

Stop us from interpreting array values as `1`, and fix blog interpretation.

This approach is a little messy (projects has the same issue) but I'll see
if I can clean it up in some future change.

Auditors: chad
This commit is contained in:
epriestley 2016-01-02 05:16:10 -08:00
parent edcc3232aa
commit 2328e739b7
2 changed files with 24 additions and 9 deletions

View file

@ -123,6 +123,11 @@ final class AphrontRequest extends Phobject {
*/ */
public function getInt($name, $default = null) { public function getInt($name, $default = null) {
if (isset($this->requestData[$name])) { if (isset($this->requestData[$name])) {
// Converting from array to int is "undefined". Don't rely on whatever
// PHP decides to do.
if (is_array($this->requestData[$name])) {
return $default;
}
return (int)$this->requestData[$name]; return (int)$this->requestData[$name];
} else { } else {
return $default; return $default;

View file

@ -32,18 +32,27 @@ final class PhamePostEditController extends PhamePostController {
} }
$blog_id = $post->getBlog()->getID(); $blog_id = $post->getBlog()->getID();
} else { } else {
$blog_id = $request->getInt('blog'); $blog_id = head($request->getArr('blog'));
if (!$blog_id) {
$blog_id = $request->getStr('blog');
}
} }
$blog = id(new PhameBlogQuery()) $query = id(new PhameBlogQuery())
->setViewer($viewer) ->setViewer($viewer)
->withIDs(array($blog_id))
->requireCapabilities( ->requireCapabilities(
array( array(
PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT, PhabricatorPolicyCapability::CAN_EDIT,
)) ));
->executeOne();
if (ctype_digit($blog_id)) {
$query->withIDs(array($blog_id));
} else {
$query->withPHIDs(array($blog_id));
}
$blog = $query->executeOne();
if (!$blog) { if (!$blog) {
return new Aphront404Response(); return new Aphront404Response();
} }
@ -60,10 +69,11 @@ final class PhamePostEditController extends PhamePostController {
$crumbs = parent::buildApplicationCrumbs(); $crumbs = parent::buildApplicationCrumbs();
$blog = $this->getBlog(); $blog = $this->getBlog();
if ($blog) {
$crumbs->addTextCrumb( $crumbs->addTextCrumb(
$blog->getName(), $blog->getName(),
$blog->getViewURI()); $blog->getViewURI());
}
return $crumbs; return $crumbs;
} }