Merge pull request EC-CUBE#6297 from dotani1111/dev/fix_plugin_installer

fix: check transaction file
dotani1111 · Oct 28, 2024 · 8d0e203 · 8d0e203
2 parents 6372cd0 + de288c4
commit 8d0e203
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/Eccube/Controller/InstallPluginController.php b/src/Eccube/Controller/InstallPluginController.php
@@ -146,9 +146,18 @@ public function pluginEnable(Request $request, SystemService $systemService, Plu
      *
      * @return RedirectResponse
      */
-    public function redirectAdmin()
+    public function redirectAdmin(Request $request)
     {
+        if (!$request->isXmlHttpRequest()) {
+            throw new BadRequestHttpException();
+        }
+
         $this->cacheUtil->clearCache();
+        // トランザクションチェックファイルの有効期限を確認する
+        $token = $request->headers->get('ECCUBE-CSRF-TOKEN');
+        if (!$this->isValidTransaction($token)) {
+            throw new NotFoundHttpException();
+        }
 
         // トランザクションファイルを削除する
         $projectDir = $this->getParameter('kernel.project_dir');