fix: Add request validation to prevent untrusted access in category and plugin scripts

Daniel Neto · Daniel Neto · commit ee5615153c40 · 2026-04-13T10:27:52.000-03:00
GHSA-ffw8-fwxp-h64w
diff --git a/objects/categoryAddNew.json.php b/objects/categoryAddNew.json.php
@@ -19,6 +19,7 @@
     $obj->msg = __("Permission denied");
     die(json_encode($obj));
 }
+forbidIfIsUntrustedRequest('categoryAddNew');
 
 $objCat = new Category(intval(@$_POST['id']));
 $objCat->setName($_POST['name']);
diff --git a/objects/categoryDelete.json.php b/objects/categoryDelete.json.php
@@ -10,6 +10,7 @@
 if (!Category::canCreateCategory()) {
     die('{"error":"' . __("Permission denied") . '"}');
 }
+forbidIfIsUntrustedRequest('categoryDelete');
 require_once 'category.php';
 $obj = new Category($_POST['id']);
 
diff --git a/objects/configurationClearCache.json.php b/objects/configurationClearCache.json.php
@@ -11,6 +11,7 @@
 $obj->clearCache = false;
 $obj->deleteALLCache = false;
 $obj->deleteAllSessionCache = false;
+forbidIfIsUntrustedRequest('configurationClearCache');
 $_SESSION['user']['sessionCache']['getAllCategoriesClearCache'] = 1;
 
 if (!Permissions::canClearCache() || !empty($_REQUEST['sessionOnly'])) {
diff --git a/objects/configurationGenerateSiteMap.json.php b/objects/configurationGenerateSiteMap.json.php
@@ -16,6 +16,7 @@
     $obj->msg = __("Permission denied");
     die(json_encode($obj));
 }
+forbidIfIsUntrustedRequest('configurationGenerateSiteMap');
 $sitemap = siteMap();
 
 if (empty($sitemap)) {
diff --git a/objects/notifySubscribers.json.php b/objects/notifySubscribers.json.php
@@ -10,6 +10,7 @@
 if (!User::canUpload()) {
     forbiddenPage('You can not notify');
 }
+forbidIfIsUntrustedRequest('notifySubscribers');
 $user_id = User::getId();
 // if admin bring all subscribers
 if (User::isAdmin()) {
diff --git a/objects/pluginAddDataObject.json.php b/objects/pluginAddDataObject.json.php
@@ -9,6 +9,7 @@
 if (!User::isAdmin()) {
     die('{"error":"'.__("Permission denied").'"}');
 }
+forbidIfIsUntrustedRequest('pluginAddDataObject');
 if (empty($_POST['id'])) {
     die('{"error":"'.__("ID can't be blank").'"}');
 }
diff --git a/objects/pluginRunUpdateScript.json.php b/objects/pluginRunUpdateScript.json.php
@@ -9,6 +9,7 @@
 if (!User::isAdmin()) {
     forbiddenPage('Permission denied');
 }
+forbidIfIsUntrustedRequest('pluginRunUpdateScript');
 if (empty($_POST['name'])) {
     forbiddenPage('Name can\'t be blank');
 }
diff --git a/objects/userDelete.json.php b/objects/userDelete.json.php
@@ -9,5 +9,6 @@
 if (!User::isAdmin() || empty($_POST['id'])) {
     die('{"error":"'.__("Permission denied").'"}');
 }
+forbidIfIsUntrustedRequest('userDelete');
 $item = new UserGroups($_POST['id']);
 echo '{"status":"'.$item->delete().'"}';
diff --git a/objects/userGroupsAddNew.json.php b/objects/userGroupsAddNew.json.php
@@ -8,6 +8,7 @@
 if (!Permissions::canAdminUserGroups()) {
     die('{"error":"' . __("Permission denied") . '"}');
 }
+forbidIfIsUntrustedRequest('userGroupsAddNew');
 
 require_once 'userGroups.php';
 $obj = new UserGroups(@$_POST['id']);
diff --git a/objects/userGroupsDelete.json.php b/objects/userGroupsDelete.json.php
@@ -8,6 +8,7 @@
 if (!User::isAdmin() || empty($_POST['id'])) {
     die('{"error":"'.__("Permission denied").'"}');
 }
+forbidIfIsUntrustedRequest('userGroupsDelete');
 require_once 'userGroups.php';
 $obj = new UserGroups($_POST['id']);
 echo '{"status":"'.$obj->delete().'"}';
diff --git a/objects/videoDelete.json.php b/objects/videoDelete.json.php
@@ -8,6 +8,7 @@
 if (empty($_POST['id'])) {
     forbiddenPage("Id is empty");
 }
+forbidIfIsUntrustedRequest('videoDelete');
 require_once 'video.php';
 if (!is_array($_POST['id'])) {
     $_POST['id'] = [$_POST['id']];
diff --git a/objects/videoRefresh.json.php b/objects/videoRefresh.json.php
@@ -11,7 +11,7 @@
 if (!Permissions::canModerateVideos() || empty($_POST['id'])) {
     die('{"error":"'.__("Permission denied").'"}');
 }
-
+forbidIfIsUntrustedRequest('videoRefresh');
 require_once 'video.php';
 $obj = new Video("", "", $_POST['id']);
 if (empty($obj)) {
diff --git a/objects/videoRotate.json.php b/objects/videoRotate.json.php
@@ -9,7 +9,7 @@
 if (!User::canUpload() || empty($_POST['id'])) {
     die('{"error":"'.__("Permission denied").'"}');
 }
-
+forbidIfIsUntrustedRequest('videoRotate');
 $type = !empty($_POST['type']) ? $_POST['type'] : "";
 
 require_once 'video.php';
diff --git a/objects/videoStatus.json.php b/objects/videoStatus.json.php
@@ -9,6 +9,7 @@
 if (!User::canUpload() || empty($_POST['id'])) {
     die('{"error":"' . __("Permission denied") . '"}');
 }
+forbidIfIsUntrustedRequest('videoStatus');
 if (!is_array($_POST['id'])) {
     $_POST['id'] = [$_POST['id']];
 }
diff --git a/objects/videoSwap.json.php b/objects/videoSwap.json.php
@@ -18,7 +18,7 @@
     $obj->msg = __("Permission denied");
     die(json_encode($obj));
 }
-
+forbidIfIsUntrustedRequest('videoSwap');
 if (empty($_POST['videos_id_1']) || empty($_POST['videos_id_2'])) {
     $obj->msg = __("Mou MUST select 2 videos to swap");
     die(json_encode($obj));

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`$obj->msg = __("Permission denied");`
`20`	`20`	`die(json_encode($obj));`
`21`	`21`	`}`
	`22`	`+forbidIfIsUntrustedRequest('categoryAddNew');`
`22`	`23`
`23`	`24`	`$objCat = new Category(intval(@$_POST['id']));`
`24`	`25`	`$objCat->setName($_POST['name']);`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`if (!Category::canCreateCategory()) {`
`11`	`11`	`die('{"error":"' . __("Permission denied") . '"}');`
`12`	`12`	`}`
	`13`	`+forbidIfIsUntrustedRequest('categoryDelete');`
`13`	`14`	`require_once 'category.php';`
`14`	`15`	`$obj = new Category($_POST['id']);`
`15`	`16`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`$obj->msg = __("Permission denied");`
`17`	`17`	`die(json_encode($obj));`
`18`	`18`	`}`
	`19`	`+forbidIfIsUntrustedRequest('configurationGenerateSiteMap');`
`19`	`20`	`$sitemap = siteMap();`
`20`	`21`
`21`	`22`	`if (empty($sitemap)) {`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`	`if (!User::isAdmin()) {`
`10`	`10`	`die('{"error":"'.__("Permission denied").'"}');`
`11`	`11`	`}`
	`12`	`+forbidIfIsUntrustedRequest('pluginAddDataObject');`
`12`	`13`	`if (empty($_POST['id'])) {`
`13`	`14`	`die('{"error":"'.__("ID can't be blank").'"}');`
`14`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,6 @@`
`9`	`9`	`if (!User::isAdmin() \|\| empty($_POST['id'])) {`
`10`	`10`	`die('{"error":"'.__("Permission denied").'"}');`
`11`	`11`	`}`
	`12`	`+forbidIfIsUntrustedRequest('userDelete');`
`12`	`13`	`$item = new UserGroups($_POST['id']);`
`13`	`14`	`echo '{"status":"'.$item->delete().'"}';`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`if (!Permissions::canAdminUserGroups()) {`
`9`	`9`	`die('{"error":"' . __("Permission denied") . '"}');`
`10`	`10`	`}`
	`11`	`+forbidIfIsUntrustedRequest('userGroupsAddNew');`
`11`	`12`
`12`	`13`	`require_once 'userGroups.php';`
`13`	`14`	`$obj = new UserGroups(@$_POST['id']);`