[geeklog-cvs] Geeklog-1.x/public_html/admin story.php,1.266,1.267
Michael Jervis
mjervis at qs1489.pair.com
Thu May 1 15:43:44 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin
In directory qs1489.pair.com:/tmp/cvs-serv7887/public_html/admin
Modified Files:
story.php
Log Message:
Story security.
Index: story.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/story.php,v
retrieving revision 1.266
retrieving revision 1.267
diff -C2 -d -r1.266 -r1.267
*** story.php 30 Dec 2007 12:15:47 -0000 1.266
--- story.php 1 May 2008 19:43:42 -0000 1.267
***************
*** 633,636 ****
--- 633,638 ----
$story_templates->set_var('lang_cancel', $LANG_ADMIN['cancel']);
$story_templates->set_var('lang_delete', $LANG_ADMIN['delete']);
+ $story_templates->set_var('gltoken_name', CSRF_TOKEN);
+ $story_templates->set_var('gltoken', SEC_createToken());
$story_templates->parse('output','editor');
$display .= $story_templates->finish($story_templates->get_var('output'));
***************
*** 721,730 ****
COM_accessLog ("User {$_USER['username']} tried to illegally delete story submission $sid.");
echo COM_refresh ($_CONF['site_admin_url'] . '/index.php');
! } else {
DB_delete ($_TABLES['storysubmission'], 'sid', $sid,
$_CONF['site_admin_url'] . '/moderation.php');
}
! } else {
echo STORY_deleteStory ($sid);
}
} else if (($mode == $LANG_ADMIN['preview']) && !empty ($LANG_ADMIN['preview'])) {
--- 723,738 ----
COM_accessLog ("User {$_USER['username']} tried to illegally delete story submission $sid.");
echo COM_refresh ($_CONF['site_admin_url'] . '/index.php');
! } else if (SEC_checkToken()) {
DB_delete ($_TABLES['storysubmission'], 'sid', $sid,
$_CONF['site_admin_url'] . '/moderation.php');
+ } else {
+ COM_accessLog ("User {$_USER['username']} tried to illegally delete story submission $sid and failed CSRF checks.");
+ echo COM_refresh ($_CONF['site_admin_url'] . '/index.php');
}
! } else if (SEC_checkToken()) {
echo STORY_deleteStory ($sid);
+ } else {
+ COM_accessLog ("User {$_USER['username']} tried to delete story and failed CSRF checks $sid.");
+ echo COM_refresh ($_CONF['site_admin_url'] . '/index.php');
}
} else if (($mode == $LANG_ADMIN['preview']) && !empty ($LANG_ADMIN['preview'])) {
***************
*** 760,764 ****
$display .= COM_siteFooter();
echo $display;
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
submitstory ();
} else { // 'cancel' or no mode at all
--- 768,772 ----
$display .= COM_siteFooter();
echo $display;
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save']) && SEC_checkToken()) {
submitstory ();
} else { // 'cancel' or no mode at all
More information about the geeklog-cvs
mailing list