From e546013dac118e981c85bdae0ed6fd62ee60f701 Mon Sep 17 00:00:00 2001
From: Rey5 <mtylweb@gmail.com>
Date: Sun, 7 May 2023 04:18:19 +0800
Subject: [PATCH] ajax.php ACE security patch

---
 public/ajax.php | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/public/ajax.php b/public/ajax.php
index c376fa62..271251e7 100644
--- a/public/ajax.php
+++ b/public/ajax.php
@@ -6,6 +6,29 @@ loggedinorreturn();
 $action = $_POST['action'] ?? 'noAction';
 $params = $_POST['params'] ?? [];
 
+const ALLOWED_ACTION = [
+    'toggleUserMedalStatus',
+    'attendanceRetroactive',
+    'getPtGen',
+    'addClaim',
+    'removeClaim',
+    'removeUserLeechWarn',
+    'getOffer',
+    'approvalModal',
+    'approval',
+    'addSeedBoxRecord',
+    'removeSeedBoxRecord',
+    'removeHitAndRun',
+    'consumeBenefit',
+    'clearShoutBox',
+    'buyMedal',
+    'giftMedal',
+    'saveUserMedal',
+];
+if(!in_array($action,ALLOWED_ACTION)){
+    do_log('hack attempt '.print_r($CURUSER,true),'error');
+    $action = 'noAction';
+}
 function noAction()
 {
     throw new \RuntimeException("no Action");
@@ -13,6 +36,7 @@ function noAction()
 
 
 try {
+    if(!isset($CURUSER))throw new \RuntimeException('Permission Denied');
     $result = call_user_func($action, $params);
     exit(json_encode(success($result)));
 } catch (\Throwable $exception) {