[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/links category.php, 1.15, 1.16 index.php, 1.59, 1.60
Dirk Haun
dhaun at qs1489.pair.com
Sun May 18 09:55:42 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/links
In directory qs1489.pair.com:/tmp/cvs-serv20789/public_html/admin/plugins/links
Modified Files:
category.php index.php
Log Message:
More CSRF protection
Index: category.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/links/category.php,v
retrieving revision 1.15
retrieving revision 1.16
diff -C2 -d -r1.15 -r1.16
*** category.php 17 May 2008 21:02:03 -0000 1.15
--- category.php 18 May 2008 13:55:40 -0000 1.16
***************
*** 267,270 ****
--- 267,272 ----
$A['perm_group'], $A['perm_members'], $A['perm_anon']));
$T->set_var('lang_lockmsg', $LANG_ACCESS['permmsg']);
+ $T->set_var('gltoken_name', CSRF_TOKEN);
+ $T->set_var('gltoken', SEC_createToken());
$T->parse('output', 'page');
***************
*** 464,468 ****
$display .= COM_refresh($_CONF['site_admin_url']
. '/plugins/links/category.php');
! } else {
$msg = links_delete_category($cid);
--- 466,470 ----
$display .= COM_refresh($_CONF['site_admin_url']
. '/plugins/links/category.php');
! } elseif (SEC_checkToken()) {
$msg = links_delete_category($cid);
***************
*** 471,478 ****
$display .= links_list_categories($root);
$display .= COM_siteFooter();
}
// save category
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
$msg = links_save_category($_POST['cid'], $_POST['old_cid'],
$_POST['pid'], $_POST['category'],
--- 473,483 ----
$display .= links_list_categories($root);
$display .= COM_siteFooter();
+ } else {
+ COM_accessLog("User {$_USER['username']} tried to illegally delete link category $cid and failed CSRF checks.");
+ echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
// save category
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
$msg = links_save_category($_POST['cid'], $_POST['old_cid'],
$_POST['pid'], $_POST['category'],
Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/links/index.php,v
retrieving revision 1.59
retrieving revision 1.60
diff -C2 -d -r1.59 -r1.60
*** index.php 17 May 2008 21:02:03 -0000 1.59
--- index.php 18 May 2008 13:55:40 -0000 1.60
***************
*** 208,211 ****
--- 208,213 ----
$link_templates->set_var('permissions_editor', SEC_getPermissionsHTML($A['perm_owner'],$A['perm_group'],$A['perm_members'],$A['perm_anon']));
$link_templates->set_var('lang_lockmsg', $LANG_ACCESS['permmsg']);
+ $link_templates->set_var('gltoken_name', CSRF_TOKEN);
+ $link_templates->set_var('gltoken', SEC_createToken());
$link_templates->parse('output', 'editor');
$retval .= $link_templates->finish($link_templates->get_var('output'));
***************
*** 483,487 ****
COM_errorLog ('Attempted to delete link lid=' . $lid );
$display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/links/index.php');
! } else {
$type = '';
if (isset($_POST['type'])) {
--- 485,489 ----
COM_errorLog ('Attempted to delete link lid=' . $lid );
$display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/links/index.php');
! } elseif (SEC_checkToken()) {
$type = '';
if (isset($_POST['type'])) {
***************
*** 489,494 ****
}
$display .= deleteLink($lid, $type);
}
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
$cid = '';
if (isset($_POST['cid'])) {
--- 491,499 ----
}
$display .= deleteLink($lid, $type);
+ } else {
+ COM_accessLog("User {$_USER['username']} tried to illegally delete link $lid and failed CSRF checks.");
+ echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
$cid = '';
if (isset($_POST['cid'])) {
More information about the geeklog-cvs
mailing list