Gelmiş geçmiş en büyük porno sitemiz olan 2pe de her zaman en kaliteli pornoları sunmayı hedefledik. Diğer video sitemiz olan vuam da ise hd porno ağırlıklı çalışmalara başladık.

  1. #101
    Sencha User
    Join Date
    Jun 2009
    Vote Rating
    Max_nl is on a distinguished road




    This backend -like probably all other Ext.Direct implementations- is vulnerable to Cross-Site Request Forgery attacks.
    If an attacker is able to trick a user that is currently logged into an Ext.JS webapplication to visit the attacker's website, it allows the attacker to execute arbritary Ext.Direct methods.

    E.g. the attacker's website could include code like this:

    HTML Code:
    <form id="attackform" method="post" action="http://your-server/your-extdirect-script.php">
    <input type="hidden" name="extTID" value="1">
    <input type="hidden" name="extType" value="rpc">
    <input type="hidden" name="extAction" value="classname">
    <input type="hidden" name="extMethod" value="somePrivilegedMethod">
    <input type="hidden" name="p1" value="someParameter">
    <input type="submit">
    Causing somePrivilegedMethod(someParameter) to be executed.
    In a typical webapplication using PHP sessions, this will occur under the privileges of the authenticated user as the browser will send the session cookie it has for your-server with the request.


    This patch attempts to prevent the problem by using the double submit cookies pattern
    An unique cookie is set when the browser fetches the API with <script src="your-extdirect-script.php?javascript"></script> and the backend expects the value of that cookie to be transmitted as request variable with every request.

        protected function call_action()
            $class = $this->action;
            // Accept only calls to classes defined at "api_classes" configuration
            if ( !in_array( $class, ExtDirect::$api_classes ) )
                throw new Exception( 'Call to undefined or not allowed class ' . $class, E_USER_ERROR );
            // Do not allow calls to magic methods; only allow calls to methods returned by "get_class_methods" function
            if ( ( substr( $this->method, 0, 2 ) == '__' ) || !in_array( $this->method, get_class_methods( $class ) ) )
                throw new Exception( 'Call to undefined or not allowed method ' . $class . '::' . $this->method, E_USER_ERROR );
            // Do not allow calls to methods that do not pass the declare_method_function (if configured)
            if ( !empty( self::$declare_method_function ) && !call_user_func( self::$declare_method_function, $class, $this->method ) )
                throw new Exception( 'Call to undefined or not allowed method ' . $class . '::' . $this->method, E_USER_ERROR );
             // Verify double submit cookie to prevent CSRF attacks
            $token = '';
            if ( isset( $_GET['extToken'] ) )
                $token = $_GET['extToken'];
            else if ( isset( $_POST['extToken'] ) )
                $token = $_POST['extToken'];
            if ( empty( $_COOKIE['extToken'] ) || $_COOKIE['extToken'] != $token )
                throw new Exception( 'Double submit cookie value incorrect', E_USER_ERROR );
            $ref_method = new ReflectionMethod( $class, $this->method );
        static public function get_api_javascript()
            $template = <<<JAVASCRIPT
    if ( Ext.syncRequire )
        Ext.syncRequire( '' );
    Ext.namespace( '[%namespace%]' );
    [%descriptor%] = [%actions%];
    Ext.Direct.addProvider( [%descriptor%] );
    Ext.Ajax.extraParams = { extToken: Ext.util.Cookies.get('extToken') };
            /* Set double submit cookie for CSRF protection */
            if ( empty( $_COOKIE['extToken'] ) )
                if ( function_exists( 'openssl_random_pseudo_bytes' ) )
                    $rand = bin2hex( openssl_random_pseudo_bytes( 16 ) );
                    $rand = uniqid();
                setcookie( 'extToken', $rand );
            $elements = array(
                '[%actions%]'    => self::get_api_json(),
                '[%namespace%]'  => ExtDirect::$namespace,
                '[%descriptor%]' => ExtDirect::$descriptor
            return strtr( $template, $elements );

  2. #102
    Sencha User salarmehr's Avatar
    Join Date
    Mar 2010
    Vote Rating
    salarmehr is on a distinguished road


    Default Githup is a good home

    Githup is a good home

    Dear J. Bruni
    I would like to appreciate for your wonderful Ext Direct Implementation.
    I suggest putting the code on github. So we can contribute, report issues, adding documentations and examples and start the project.