AssetBuilder - Validate checksum for requested parameters

author Tim Otten <totten@civicrm.org>

Wed, 29 Jun 2022 05:06:05 +0000 (22:06 -0700)

committer Seamus Lee <seamuslee001@gmail.com>

Thu, 5 Jan 2023 00:42:50 +0000 (11:42 +1100)
author Tim Otten <totten@civicrm.org>
Wed, 29 Jun 2022 05:06:05 +0000 (22:06 -0700)
committer Seamus Lee <seamuslee001@gmail.com>
Thu, 5 Jan 2023 00:42:50 +0000 (11:42 +1100)
diff --git a/Civi/Core/AssetBuilder.php b/Civi/Core/AssetBuilder.php

index 3d1a4d9a9c2bc0ffe05aae03214e2f1983f4a783..e723525ff12efd0f18ba63621efb2d67109deefe 100644 (file)
--- a/Civi/Core/AssetBuilder.php
+++ b/Civi/Core/AssetBuilder.php
@@ -369,7 +369,18 @@ class AssetBuilder extends \Civi\Core\Service\AutoService {
    public static function pageRender($get) {
      // Beg your pardon, sir. Please may I have an HTTP response class instead?
      try {
+      /** @var Assetbuilder $assets */
        $assets = \Civi::service('asset_builder');
+
+      $expectDigest = $assets->digest($get['an'], $assets->decode($get['ap']));
+      if ($expectDigest !== $get['ad']) {
+        return [
+          'statusCode' => 500,
+          'mimeType' => 'text/plain',
+          'content' => 'Invalid digest',
+        ];
+      }
+
        return $assets->render($get['an'], $assets->decode($get['ap']));
      }
      catch (UnknownAssetException $e) {
author	Tim Otten <totten@civicrm.org>
	Wed, 29 Jun 2022 05:06:05 +0000 (22:06 -0700)
committer	Seamus Lee <seamuslee001@gmail.com>
	Thu, 5 Jan 2023 00:42:50 +0000 (11:42 +1100)