[geeklog-cvs] Geeklog-1.x/public_html/admin block.php,1.121,1.122

Dirk Haun dhaun at qs1489.pair.com
Sat May 17 13:02:56 EDT 2008 

Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin
In directory qs1489.pair.com:/tmp/cvs-serv75227/public_html/admin

Modified Files:
	block.php 
Log Message:
More CSRF protection


Index: block.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/block.php,v
retrieving revision 1.121
retrieving revision 1.122
diff -C2 -d -r1.121 -r1.122
*** block.php	19 Apr 2008 15:14:41 -0000	1.121
--- block.php	17 May 2008 17:02:54 -0000	1.122
***************
*** 167,170 ****
--- 167,172 ----
      $block_templates->set_var('permissions_msg', $LANG_ACCESS['permmsg']);
      $block_templates->set_var('max_url_length', 255);
+     $block_templates->set_var('gltoken_name', CSRF_TOKEN);
+     $block_templates->set_var('gltoken', SEC_createToken());
      $block_templates->parse('output','editor');
      $retval .= $block_templates->finish($block_templates->get_var('output'));
***************
*** 355,358 ****
--- 357,362 ----
          $block_templates->set_var ('allow_autotags', '');
      }
+     $block_templates->set_var('gltoken_name', CSRF_TOKEN);
+     $block_templates->set_var('gltoken', SEC_createToken());
      $block_templates->set_var ('end_block',
              COM_endBlock (COM_getBlockTemplate ('_admin_block', 'footer')));
***************
*** 773,778 ****
          COM_errorLog ('Attempted to delete block, bid empty or null, value =' . $bid);
          $display .= COM_refresh ($_CONF['site_admin_url'] . '/block.php');
!     } else {
          $display .= deleteBlock ($bid);
      }
  } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
--- 777,785 ----
          COM_errorLog ('Attempted to delete block, bid empty or null, value =' . $bid);
          $display .= COM_refresh ($_CONF['site_admin_url'] . '/block.php');
!     } elseif (SEC_checkToken()) {
          $display .= deleteBlock ($bid);
+     } else {
+         COM_accessLog("User {$_USER['username']} tried to illegally delete block $bid and failed CSRF checks.");
+         echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
      }
  } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {

More information about the geeklog-cvs mailing list