PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

encapsulate raw PDO queries leaking from callers into Database.php methods

Browse Source 
- Add getThesisAccessTypeId(int $id): ?int — replaces raw SELECT in tfe.php
- Add getCoverPathsForTheses(array $ids): array — replaces raw SELECT/IN query in index.php
- Add getFileVisibility(string $path): ?int — replaces raw join query in media.php
- Add getThesisBannerPath(int $id): ?string — replaces unparameterised SQL injection in
  edit.php (SELECT banner_path FROM theses WHERE id = $thesisId was interpolating $thesisId
  directly into the query string; now parameterised via prepared statement)
- Add getThesisRawFields(int $id): ?array — replaces raw SELECT license_id/access_type_id/
  context_note in edit.php
- Add getThesisCount(): int — replaces raw SELECT COUNT(*) in system.php

Callers updated: public/tfe.php, public/index.php, public/media.php,
public/admin/edit.php, public/admin/system.php
This commit is contained in:
Pontoporeia
2026-03-28 13:32:34 +01:00
parent 20e5f71634
commit 1181cfa88b
7 changed files with 115 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
public/media.php
View File

@@ -52,26 +52,14 @@ if (!is_file($realFull)) {
if (preg_match('#^theses/#', $requestedPath)) {
require_once __DIR__ . '/../src/Database.php';
try {
$mediaDb = Database::getInstance();
$mediaPdo = $mediaDb->getConnection();
// Find the thesis that owns this file path
$visStmt = $mediaPdo->prepare("
SELECT t.access_type_id FROM theses t
JOIN thesis_files tf ON tf.thesis_id = t.id
WHERE tf.file_path = ?
LIMIT 1
");
$visStmt->execute([$requestedPath]);
$visRow = $visStmt->fetch();
if ($visRow) {
$accessTypeId = (int)($visRow['access_type_id'] ?? 1);
$mediaDb = Database::getInstance();
$accessTypeId = $mediaDb->getFileVisibility($requestedPath);
if ($accessTypeId !== null && $accessTypeId === 3) {
// 3 = Interdit — block entirely
if ($accessTypeId === 3) {
http_response_code(403);
exit;
}
// 2 = Interne — allow (no session auth requirement for now; could add later)
http_response_code(403);
exit;
}
// 2 = Interne — allow (no session auth requirement for now; could add later)
} catch (\Throwable $e) {
// On DB error, fail open (don't block legitimate requests)
error_log("media.php visibility check error: " . $e->getMessage());