Open Real Estate 1.30.2 - Improvements for system security

The new version of Open Real Estate CMS has been released.

What's new:

• Improvements for system security made in the new version.

Improvements for system security

1) Open the file protected / modules / apartments / controllers / backend / MainController.php. In the method actionUpdate instead:

HApartment::saveOther($this->_model);

insert:

if ($this->_model->validate()) {
HApartment::saveOther($this->_model);
}

Open the file protected / modules / userads / controllers / MainController.php. In the method actionUpdate instead:

HApartment::saveOther($model);

insert:

if ($model->validate()) {
HApartment::saveOther($model);
} 

2) Open the file protected / helpers / HSite.php In the method allowUploadAndResizeImage after the line:

if ($imagePath && file_exists($imagePath)) {

insert:

$allowedExtensions = param('allowedImgExtensions', array('jpg', 'jpeg', 'gif', 'png'));
$allowMimeTypes = param('allowedImgMimeTypes', array('image/gif', 'image/jpeg', 'image/png'));
$pathInfo = pathinfo($imagePath);
if (!in_array(strtolower($pathInfo['extension']), $allowedExtensions)) {
return $return;
}
$fileInfo = (function_exists('finfo_open')) ? finfo_open(FILEINFO_MIME_TYPE) : null;
if ($fileInfo && !in_array(finfo_file($fileInfo, $imagePath), $allowMimeTypes)) {
return $return;
}

3) If you use the apache, place the .htaccess file with the following contents in the uploads directory:

RemoveHandler .cgi .pl .py .pyc .pyo .phtml .php .php3 .php4 .php5 .php6 .pcgi .pcgi3 .pcgi4 .pcgi5 .pchi6 .inc
RemoveType .cgi .pl .py .pyc .pyo .phtml .php .php3 .php4 .php5 .php6 .pcgi .pcgi3 .pcgi4 .pcgi5 .pchi6 .inc
Sethandler none
Sethandler default-handler

if you use nginx, in the config file add the following lines

location ~ ^/uploads/.*\.(php|pl|py|pyc|pyo|cgi|phtml|inc|pcgi)$ {
deny all;
}

note: don't forget to run the command:

service nginx reload

If you find a bug, please report it.

Download free version