Harden admin security controls
This commit is contained in:
+9
-11
@@ -1,7 +1,7 @@
|
||||
<?php
|
||||
require_once 'config.php';
|
||||
require_once __DIR__ . '/error_config.php';
|
||||
session_start();
|
||||
start_secure_session();
|
||||
set_json_headers();
|
||||
|
||||
$method = $_SERVER['REQUEST_METHOD'];
|
||||
@@ -11,14 +11,11 @@ $method = $_SERVER['REQUEST_METHOD'];
|
||||
// =====================================================
|
||||
function normalize_images($input) {
|
||||
if (isset($input['images']) && is_array($input['images'])) {
|
||||
$images = array_values(array_filter(
|
||||
array_map('trim', $input['images']),
|
||||
fn($v) => $v !== ''
|
||||
));
|
||||
return $images;
|
||||
return clean_public_urls($input['images']);
|
||||
}
|
||||
if (isset($input['image']) && trim($input['image']) !== '') {
|
||||
return [trim($input['image'])];
|
||||
$image = clean_public_url($input['image']);
|
||||
return $image === '' ? [] : [$image];
|
||||
}
|
||||
return [];
|
||||
}
|
||||
@@ -80,6 +77,7 @@ if ($method === 'GET') {
|
||||
}
|
||||
|
||||
require_auth();
|
||||
require_csrf();
|
||||
|
||||
// =====================================================
|
||||
// POST: 새 프로젝트 추가
|
||||
@@ -113,11 +111,11 @@ if ($method === 'POST') {
|
||||
'icon' => trim($input['icon'] ?? 'fa-solid fa-code'),
|
||||
'images' => $images,
|
||||
'image' => $images[0] ?? '',
|
||||
'link' => trim($input['link'] ?? ''),
|
||||
'link' => clean_public_url($input['link'] ?? ''),
|
||||
'stack' => $stack,
|
||||
'period_start' => trim($input['period_start'] ?? ''),
|
||||
'period_end' => trim($input['period_end'] ?? ''),
|
||||
'video_url' => trim($input['video_url'] ?? ''),
|
||||
'video_url' => clean_public_url($input['video_url'] ?? ''),
|
||||
'created_at' => date('Y-m-d')
|
||||
];
|
||||
|
||||
@@ -150,7 +148,7 @@ if ($method === 'PUT') {
|
||||
$projects[$key]['label'] = trim($input['label'] ?? $project['label']);
|
||||
$projects[$key]['description'] = trim($input['description'] ?? $project['description']);
|
||||
$projects[$key]['icon'] = trim($input['icon'] ?? $project['icon']);
|
||||
$projects[$key]['link'] = trim($input['link'] ?? $project['link']);
|
||||
$projects[$key]['link'] = clean_public_url($input['link'] ?? $project['link']);
|
||||
|
||||
if (isset($input['images']) || isset($input['image'])) {
|
||||
$images = normalize_images($input);
|
||||
@@ -169,7 +167,7 @@ if ($method === 'PUT') {
|
||||
$projects[$key]['period_end'] = trim($input['period_end']);
|
||||
}
|
||||
if (isset($input['video_url'])) {
|
||||
$projects[$key]['video_url'] = trim($input['video_url']);
|
||||
$projects[$key]['video_url'] = clean_public_url($input['video_url']);
|
||||
}
|
||||
|
||||
// 기존 demo_url 필드 제거
|
||||
|
||||
Reference in New Issue
Block a user