lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-26 13:27:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

ajax.php ACE security patch

Browse Source
This commit is contained in:
Rey5
2023-05-07 04:18:19 +08:00
parent a75abb91dc
commit e546013dac
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/ajax.php
+24
View File
@@ -6,6 +6,29 @@ loggedinorreturn();
$action = $_POST['action'] ?? 'noAction'; $action = $_POST['action'] ?? 'noAction';
$params = $_POST['params'] ?? []; $params = $_POST['params'] ?? [];
const ALLOWED_ACTION = [
'toggleUserMedalStatus',
'attendanceRetroactive',
'getPtGen',
'addClaim',
'removeClaim',
'removeUserLeechWarn',
'getOffer',
'approvalModal',
'approval',
'addSeedBoxRecord',
'removeSeedBoxRecord',
'removeHitAndRun',
'consumeBenefit',
'clearShoutBox',
'buyMedal',
'giftMedal',
'saveUserMedal',
];
if(!in_array($action,ALLOWED_ACTION)){
do_log('hack attempt '.print_r($CURUSER,true),'error');
$action = 'noAction';
}
function noAction() function noAction()
{ {
throw new \RuntimeException("no Action"); throw new \RuntimeException("no Action");
@@ -13,6 +36,7 @@ function noAction()
try { try {
if(!isset($CURUSER))throw new \RuntimeException('Permission Denied');
$result = call_user_func($action, $params); $result = call_user_func($action, $params);
exit(json_encode(success($result))); exit(json_encode(success($result)));
} catch (\Throwable $exception) { } catch (\Throwable $exception) {