[geeklog-cvs] Geeklog-1.x/public_html/admin block.php, 1.122, 1.123 syndication.php, 1.53, 1.54 user.php, 1.203, 1.204
Dirk Haun
dhaun at qs1489.pair.com
Sun May 18 04:19:37 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin
In directory qs1489.pair.com:/tmp/cvs-serv8308/public_html/admin
Modified Files:
block.php syndication.php user.php
Log Message:
More CSRF protection
Index: block.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/block.php,v
retrieving revision 1.122
retrieving revision 1.123
diff -C2 -d -r1.122 -r1.123
*** block.php 17 May 2008 17:02:54 -0000 1.122
--- block.php 18 May 2008 08:19:35 -0000 1.123
***************
*** 715,721 ****
* Enable and Disable block
*/
! function changeBlockStatus ($side, $bid_arr)
{
global $_CONF, $_TABLES;
// first, disable all on the requested side
$side = COM_applyFilter($side, true);
--- 715,722 ----
* Enable and Disable block
*/
! function changeBlockStatus($side, $bid_arr)
{
global $_CONF, $_TABLES;
+
// first, disable all on the requested side
$side = COM_applyFilter($side, true);
***************
*** 769,774 ****
}
! if (isset ($_POST['blockenabler'])) {
! changeBlockStatus ($_POST['blockenabler'], $_POST['enabledblocks']);
}
--- 770,779 ----
}
! if (isset($_POST['blockenabler']) && SEC_checkToken()) {
! $enabledblocks = array();
! if (isset($_POST['enabledblocks'])) {
! $enabledblocks = $_POST['enabledblocks'];
! }
! changeBlockStatus($_POST['blockenabler'], $enabledblocks);
}
***************
*** 783,787 ****
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
$help = '';
if (isset ($_POST['help'])) {
--- 788,792 ----
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
$help = '';
if (isset ($_POST['help'])) {
Index: syndication.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/syndication.php,v
retrieving revision 1.53
retrieving revision 1.54
diff -C2 -d -r1.53 -r1.54
*** syndication.php 25 Nov 2007 06:58:55 -0000 1.53
--- syndication.php 18 May 2008 08:19:35 -0000 1.54
***************
*** 3,7 ****
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
! // | Geeklog 1.4 |
// +---------------------------------------------------------------------------+
// | syndication.php |
--- 3,7 ----
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
! // | Geeklog 1.5 |
// +---------------------------------------------------------------------------+
// | syndication.php |
***************
*** 9,13 ****
// | Geeklog content syndication administration |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2003-2006 by the following authors: |
// | |
// | Authors: Dirk Haun - dirk AT haun-online DOT de |
--- 9,13 ----
// | Geeklog content syndication administration |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2003-2008 by the following authors: |
// | |
// | Authors: Dirk Haun - dirk AT haun-online DOT de |
***************
*** 33,39 ****
// $Id$
!
! require_once ('../lib-common.php');
! require_once ('auth.inc.php');
if (!SEC_hasRights ('syndication.edit')) {
--- 33,38 ----
// $Id$
! require_once '../lib-common.php';
! require_once 'auth.inc.php';
if (!SEC_hasRights ('syndication.edit')) {
***************
*** 56,62 ****
*
*/
! function changeFeedStatus ($fid_arr)
{
global $_TABLES;
// first disable all
DB_query ("UPDATE {$_TABLES['syndication']} SET is_enabled = '0'");
--- 55,62 ----
*
*/
! function changeFeedStatus($fid_arr)
{
global $_TABLES;
+
// first disable all
DB_query ("UPDATE {$_TABLES['syndication']} SET is_enabled = '0'");
***************
*** 83,88 ****
// Import the feed handling classes:
! require_once ($_CONF['path_system']
! . '/classes/syndication/parserfactory.class.php');
$factory = new FeedParserFactory ();
--- 83,88 ----
// Import the feed handling classes:
! require_once $_CONF['path_system']
! . '/classes/syndication/parserfactory.class.php';
$factory = new FeedParserFactory ();
***************
*** 129,136 ****
{
global $_CONF, $_TABLES, $LANG_ADMIN, $LANG33, $_IMAGE_TYPE;
! require_once( $_CONF['path_system'] . 'lib-admin.php' );
$retval = '';
! $header_arr = array( # dislay 'text' and use table field 'field'
array('text' => $LANG_ADMIN['edit'], 'field' => 'edit', 'sort' => false),
array('text' => $LANG_ADMIN['title'], 'field' => 'title', 'sort' => true),
--- 129,139 ----
{
global $_CONF, $_TABLES, $LANG_ADMIN, $LANG33, $_IMAGE_TYPE;
!
! require_once $_CONF['path_system'] . 'lib-admin.php';
!
$retval = '';
+ $token = SEC_createToken();
! $header_arr = array( # display 'text' and use table field 'field'
array('text' => $LANG_ADMIN['edit'], 'field' => 'edit', 'sort' => false),
array('text' => $LANG_ADMIN['title'], 'field' => 'title', 'sort' => true),
***************
*** 167,176 ****
'query_fields' => array('title', 'filename'),
'default_filter' => '');
! // this is a dummy-variable so we know the form has been used if all feeds should be disabled
! // in order to disable the last one.
$form_arr = array('bottom' => '<input type="hidden" name="feedenabler" value="true"' . XHTML . '>');
! $retval .= ADMIN_list ("syndication", "ADMIN_getListField_syndication", $header_arr, $text_arr,
! $query_arr, $defsort_arr, '', '', '', $form_arr);
return $retval;
}
--- 170,180 ----
'query_fields' => array('title', 'filename'),
'default_filter' => '');
! // this is a dummy variable so we know the form has been used if all feeds
! // should be disabled in order to disable the last one.
$form_arr = array('bottom' => '<input type="hidden" name="feedenabler" value="true"' . XHTML . '>');
! $retval .= ADMIN_list('syndication', 'ADMIN_getListField_syndication',
! $header_arr, $text_arr, $query_arr, $defsort_arr, '',
! $token, '', $form_arr);
return $retval;
}
***************
*** 352,355 ****
--- 356,361 ----
$feed_template->set_var ('is_enabled', '');
}
+ $feed_template->set_var('gltoken_name', CSRF_TOKEN);
+ $feed_template->set_var('gltoken', SEC_createToken());
$retval .= $feed_template->finish ($feed_template->parse ('output',
***************
*** 530,535 ****
$display = '';
! if ($_CONF['backend'] && isset ($_POST['feedenabler'])) {
! changeFeedStatus ($_POST['enabledfeeds']);
}
$mode = '';
--- 536,545 ----
$display = '';
! if ($_CONF['backend'] && isset($_POST['feedenabler']) && SEC_checkToken()) {
! $enabledfeeds = array();
! if (isset($_POST['enabledfeeds'])) {
! $enabledfeeds = $_POST['enabledfeeds'];
! }
! changeFeedStatus($enabledfeeds);
}
$mode = '';
***************
*** 552,562 ****
. COM_siteFooter ();
}
! else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save']))
{
! $display .= savefeed ($_POST);
}
! else if (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete']))
{
! $display .= deletefeed (COM_applyFilter($_REQUEST['fid']));
}
else
--- 562,572 ----
. COM_siteFooter ();
}
! elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken())
{
! $display .= savefeed($_POST);
}
! elseif (($mode == $LANG_ADMIN['delete']) && !empty($LANG_ADMIN['delete']) && SEC_checkToken())
{
! $display .= deletefeed(COM_applyFilter($_REQUEST['fid']));
}
else
Index: user.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/user.php,v
retrieving revision 1.203
retrieving revision 1.204
diff -C2 -d -r1.203 -r1.204
*** user.php 11 May 2008 22:03:25 -0000 1.203
--- user.php 18 May 2008 08:19:35 -0000 1.204
***************
*** 38,44 ****
$_USER_VERBOSE = false;
! require_once ('../lib-common.php');
! require_once ('auth.inc.php');
! require_once ($_CONF['path_system'] . 'lib-user.php');
$display = '';
--- 38,44 ----
$_USER_VERBOSE = false;
! require_once '../lib-common.php';
! require_once 'auth.inc.php';
! require_once $_CONF['path_system'] . 'lib-user.php';
$display = '';
***************
*** 348,351 ****
--- 348,353 ----
'<input type="hidden" name="groups" value="-1"' . XHTML . '>');
}
+ $user_templates->set_var('gltoken_name', CSRF_TOKEN);
+ $user_templates->set_var('gltoken', SEC_createToken());
$user_templates->parse('output', 'form');
$retval .= $user_templates->finish($user_templates->get_var('output'));
***************
*** 1152,1163 ****
}
} else if (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete'])) { // delete
! $uid = COM_applyFilter ($_POST['uid'], true);
! if ($uid > 1) {
! $display .= deleteUser ($uid);
} else {
! COM_errorLog ('Attempted to delete user uid=' . $uid);
! $display = COM_refresh ($_CONF['site_admin_url'] . '/user.php');
}
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) { // save
$delphoto = '';
if (isset ($_POST['delete_photo'])) {
--- 1154,1168 ----
}
} else if (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete'])) { // delete
! $uid = COM_applyFilter($_POST['uid'], true);
! if ($uid <= 1) {
! COM_errorLog('Attempted to delete user uid=' . $uid);
! $display = COM_refresh($_CONF['site_admin_url'] . '/user.php');
! } elseif (SEC_checkToken()) {
! $display .= deleteUser($uid);
} else {
! COM_accessLog("User {$_USER['username']} tried to illegally delete user $uid and failed CSRF checks.");
! echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) { // save
$delphoto = '';
if (isset ($_POST['delete_photo'])) {
More information about the geeklog-cvs
mailing list