[geeklog-cvs] Geeklog-1.x/public_html/admin block.php,1.121,1.122
Dirk Haun
dhaun at qs1489.pair.com
Sat May 17 13:02:56 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin
In directory qs1489.pair.com:/tmp/cvs-serv75227/public_html/admin
Modified Files:
block.php
Log Message:
More CSRF protection
Index: block.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/block.php,v
retrieving revision 1.121
retrieving revision 1.122
diff -C2 -d -r1.121 -r1.122
*** block.php 19 Apr 2008 15:14:41 -0000 1.121
--- block.php 17 May 2008 17:02:54 -0000 1.122
***************
*** 167,170 ****
--- 167,172 ----
$block_templates->set_var('permissions_msg', $LANG_ACCESS['permmsg']);
$block_templates->set_var('max_url_length', 255);
+ $block_templates->set_var('gltoken_name', CSRF_TOKEN);
+ $block_templates->set_var('gltoken', SEC_createToken());
$block_templates->parse('output','editor');
$retval .= $block_templates->finish($block_templates->get_var('output'));
***************
*** 355,358 ****
--- 357,362 ----
$block_templates->set_var ('allow_autotags', '');
}
+ $block_templates->set_var('gltoken_name', CSRF_TOKEN);
+ $block_templates->set_var('gltoken', SEC_createToken());
$block_templates->set_var ('end_block',
COM_endBlock (COM_getBlockTemplate ('_admin_block', 'footer')));
***************
*** 773,778 ****
COM_errorLog ('Attempted to delete block, bid empty or null, value =' . $bid);
$display .= COM_refresh ($_CONF['site_admin_url'] . '/block.php');
! } else {
$display .= deleteBlock ($bid);
}
} else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
--- 777,785 ----
COM_errorLog ('Attempted to delete block, bid empty or null, value =' . $bid);
$display .= COM_refresh ($_CONF['site_admin_url'] . '/block.php');
! } elseif (SEC_checkToken()) {
$display .= deleteBlock ($bid);
+ } else {
+ COM_accessLog("User {$_USER['username']} tried to illegally delete block $bid and failed CSRF checks.");
+ echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
} else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
More information about the geeklog-cvs
mailing list