[geeklog-cvs] Geeklog-1.x/system lib-admin.php, 1.128, 1.129 lib-security.php, 1.64, 1.65
Michael Jervis
mjervis at qs1489.pair.com
Fri Feb 29 03:22:55 EST 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv4301/system
Modified Files:
lib-admin.php lib-security.php
Log Message:
Security change refinement + implementation for other issues.
Index: lib-security.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-security.php,v
retrieving revision 1.64
retrieving revision 1.65
diff -C2 -d -r1.64 -r1.65
*** lib-security.php 22 Feb 2008 08:22:42 -0000 1.64
--- lib-security.php 29 Feb 2008 08:22:53 -0000 1.65
***************
*** 74,77 ****
--- 74,82 ----
define('USER_ACCOUNT_ACTIVE', 3); // active account
+ /* Constant for Security Token */
+ if (!defined('CSRF_TOKEN')) {
+ define('CSRF_TOKEN', '_glsectoken');
+ }
+
/**
* Returns the groups a user belongs to
***************
*** 1092,1099 ****
$return = false; // Default to fail.
! if(array_key_exists('token', $_GET)) {
! $token = COM_applyFilter($_GET['token']);
! } else if(array_key_exists('token', $_POST)) {
! $token = COM_applyFilter($_POST['token']);
}
--- 1097,1104 ----
$return = false; // Default to fail.
! if(array_key_exists(CSRF_TOKEN, $_GET)) {
! $token = COM_applyFilter($_GET[CSRF_TOKEN]);
! } else if(array_key_exists(CSRF_TOKEN, $_POST)) {
! $token = COM_applyFilter($_POST[CSRF_TOKEN]);
}
Index: lib-admin.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-admin.php,v
retrieving revision 1.128
retrieving revision 1.129
diff -C2 -d -r1.128 -r1.129
*** lib-admin.php 21 Feb 2008 19:52:53 -0000 1.128
--- lib-admin.php 29 Feb 2008 08:22:53 -0000 1.129
***************
*** 639,645 ****
$retval.="<img src=\"{$_CONF['layout_url']}/images/admin/$blockcontrol_image\" width=\"45\" height=\"20\" usemap=\"#arrow{$A['bid']}\" alt=\"\"" . XHTML . ">"
."<map id=\"arrow{$A['bid']}\" name=\"arrow{$A['bid']}\">"
! ."<area coords=\"0,0,12,20\" title=\"{$LANG21[58]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=up&token={$token}\" alt=\"{$LANG21[58]}\"" . XHTML . ">"
! ."<area coords=\"13,0,29,20\" title=\"$moveTitleMsg\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=$switchside&token={$token}\" alt=\"$moveTitleMsg\"" . XHTML . ">"
! ."<area coords=\"30,0,43,20\" title=\"{$LANG21[57]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=dn&token={$token}\" alt=\"{$LANG21[57]}\"" . XHTML . ">"
."</map>";
}
--- 639,645 ----
$retval.="<img src=\"{$_CONF['layout_url']}/images/admin/$blockcontrol_image\" width=\"45\" height=\"20\" usemap=\"#arrow{$A['bid']}\" alt=\"\"" . XHTML . ">"
."<map id=\"arrow{$A['bid']}\" name=\"arrow{$A['bid']}\">"
! ."<area coords=\"0,0,12,20\" title=\"{$LANG21[58]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=up&".CSRF_TOKEN."={$token}\" alt=\"{$LANG21[58]}\"" . XHTML . ">"
! ."<area coords=\"13,0,29,20\" title=\"$moveTitleMsg\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=$switchside&".CSRF_TOKEN."={$token}\" alt=\"$moveTitleMsg\"" . XHTML . ">"
! ."<area coords=\"30,0,43,20\" title=\"{$LANG21[57]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=dn&".CSRF_TOKEN."={$token}\" alt=\"{$LANG21[57]}\"" . XHTML . ">"
."</map>";
}
More information about the geeklog-cvs
mailing list