fix: issue #533 not requiring login to select url and potential secur…

…ity problem
daylightstudio · Jul 31, 2019 · 48b546f · 48b546f
1 parent 897fdf3
commit 48b546f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/fuel/modules/fuel/controllers/Pages.php b/fuel/modules/fuel/controllers/Pages.php
@@ -10,7 +10,8 @@ public function __construct()
 		parent::__construct(FALSE);
 
 		// allow the select URL page to show up regardless of permissions
-		$validate = (fuel_uri_segment(2) == 'select') ? FALSE : TRUE;
+		//$validate = (fuel_uri_segment(2) == 'select') ? FALSE : TRUE;
+		$validate = TRUE;
 		if ($validate)
 		{
 			$load_vars['user'] = $this->fuel->auth->user_data();
@@ -894,7 +895,7 @@ public function select()
 		$this->load->library('session');
 
 		$value = $this->input->get_post('selected', TRUE);
-		$filter = rawurldecode($this->input->get_post('filter', TRUE));
+		$filter = str_replace(array('(', ')', '$', '{', '}', '.', '[', ']', "'", '+', '='), '', rawurldecode($this->input->get_post('filter', TRUE)));
 
 		// Convert wild-cards to RegEx
 		$filter = str_replace(':any', '.+', str_replace(':num', '[0-9]+', $filter));

diff --git a/fuel/modules/fuel/libraries/Fuel_pages.php b/fuel/modules/fuel/libraries/Fuel_pages.php
@@ -188,7 +188,7 @@ public function views($subfolder = '')
 			$subfolder = trim($subfolder, '/').'/';
 		}
 		$views_path = APPPATH.'views/'.$subfolder;
-		$view_pages = directory_to_array($views_path, TRUE, '/^_(.*)|\.html$/', FALSE, TRUE);
+		$view_pages = directory_to_array($views_path, TRUE, '/^_(.*)|^errors|\.html$/', FALSE, TRUE);
 		sort($view_pages);
 		return $view_pages;
 	}