| Revision | 5b6fcbbde6bc1392c84053e573786a33fccf06ec (tree) |
|---|---|
| Time | 2017-02-16 02:45:10 |
| Author |  umorigu <umorigu@gmai...> |
| Commiter | umorigu |
BugTrack/694 Stop reading page that is not readable as template
plugin/template.inc.php (diff)| @@ -2,7 +2,7 @@ | ||
| 2 | 2 | // PukiWiki - Yet another WikiWikiWeb clone. |
| 3 | 3 | // template.inc.php |
| 4 | 4 | // Copyright |
| 5 | -// 2002-2016 PukiWiki Development Team | |
| 5 | +// 2002-2017 PukiWiki Development Team | |
| 6 | 6 | // 2001-2002 Originally written by yu-ji |
| 7 | 7 | // License: GPL v2 or (at your option) any later version |
| 8 | 8 | // |
| @@ -22,8 +22,10 @@ function plugin_template_action() | ||
| 22 | 22 | if (! isset($vars['refer']) || ! is_page($vars['refer'])) |
| 23 | 23 | return FALSE; |
| 24 | 24 | |
| 25 | - $lines = get_source($vars['refer']); | |
| 26 | - | |
| 25 | + $refer = $vars['refer']; | |
| 26 | + // Ensure page is readable, or show Login UI and exit | |
| 27 | + ensure_page_readable($refer); | |
| 28 | + $lines = get_source($refer); | |
| 27 | 29 | // Remove '#freeze' |
| 28 | 30 | if (! empty($lines) && strtolower(rtrim($lines[0])) == '#freeze') |
| 29 | 31 | array_shift($lines); |
| @@ -43,6 +45,8 @@ function plugin_template_action() | ||
| 43 | 45 | |
| 44 | 46 | // edit |
| 45 | 47 | if ($is_pagename = is_pagename($page) && (! $is_page || ! empty($vars['force']))) { |
| 48 | + // Ensure page is readable, or show Login UI and exit | |
| 49 | + ensure_page_writable($page); | |
| 46 | 50 | $postdata = join('', array_splice($lines, $begin, $end - $begin + 1)); |
| 47 | 51 | $retvar['msg'] = $_title_edit; |
| 48 | 52 | $retvar['body'] = edit_form($vars['page'], $postdata); |
Fork