01-07-2015 05:23 PM
|
|
Premium Member
|
|
Item Shop Validation
Items not in shop can be hacked into the shop and bought.
This probably effects at least the entire v1.3.x line if not even earlier.
By simply right-clicking and inspecting the quantity field element on the shop page, a user can change the item name field client side and buy items that don't belong to that shop - or any shop, for that matter - so long as they know it's name. Therefore, validation is necessary to confirm that the item does belong in the shop.
In classes/class_itemshop.php, down in public function purchase(), you'll want to fix this.
After $mysidia = Registry::get("mysidia"); you'll want to wrap the rest of the contents in:
PHP Code:
if ($item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?'); else {
And close the else right before return $status;.
|
|
Issue Details
|
Category Unknown
Status Unconfirmed
Priority 4
Affected Version Mys v1.3.4
Fixed Version Mys v1.3.5
Users able to reproduce bug
1
Users unable to reproduce bug
0
Assigned Users
(none)
Tags
(none)
|
|
04-16-2015 03:26 PM
|
|
Explorer of Imaginea
|
|
|
I did so...and got a Parse error: syntax error, unexpected T_IF, expecting T_FUNCTION in /home2/luteus/public_html/imaginea.net/caveofcrystals/classes/class_itemshop.php on line 218, which I know has something to do with the patch, because when I remove it the message goes away. Any idea why this fix is causing this error?
|
04-20-2015 04:28 AM
|
|
Premium Member
|
|
|
I'm having absolutely zero problems with this fix on a fresh install. Are you positive that you closed the else statement as instructed in the post? Just in case, this is exactly what your purchase function should look like:
PHP Code:
public function purchase(Item $item){
$mysidia = Registry::get("mysidia");
if ($item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?');
else {
if($item->owner != $mysidia->user->username) Throw new NoPermissionException('Something is very very wrong, please contact an admin asap.');
else{
$item->quantity = $mysidia->input->post("quantity");
$cost = $item->getcost($this->salestax, $item->quantity);
$moneyleft = $mysidia->user->money - $cost;
if($moneyleft >= 0 and $item->quantity > 0){
$purchase = $item->append($item->quantity, $item->owner);
$mysidia->db->update("users", array("money" => $moneyleft), "username = '{$item->owner}'");
$status = TRUE;
}
else throw new InvalidActionException($mysidia->lang->money);
}
}
return $status;
}
PS: Yes, if you failed to close the else statement, then, yeah, you'd get exactly the error you described. I just tested it by only following the first step of my instructions but not the last part.
|
04-20-2015 09:21 AM
|
|
Explorer of Imaginea
|
|
|
Aha, it worked! I put the if/else statement in the wrong place. Thank you!
|
12-01-2020 01:23 PM
|
|
Administrator, Lead Coder
|
|
|
The issue is fixed in the next release.
|
All times are GMT -5. The time now is 07:29 AM.
Currently Active Users: 754 (0 members and 754 guests)
Threads: 4,081, Posts: 32,029, Members: 2,016
Welcome to our newest members,
jolob.