[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/polls index.php, 1.54, 1.55
Dirk Haun
dhaun at qs1489.pair.com
Sun May 18 12:58:53 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/polls
In directory qs1489.pair.com:/tmp/cvs-serv27308/public_html/admin/plugins/polls
Modified Files:
index.php
Log Message:
More CSRF protection
Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/polls/index.php,v
retrieving revision 1.54
retrieving revision 1.55
diff -C2 -d -r1.54 -r1.55
*** index.php 17 May 2008 18:53:27 -0000 1.54
--- index.php 18 May 2008 16:58:51 -0000 1.55
***************
*** 288,292 ****
$retval = '';
-
// writing the menu on top
require_once( $_CONF['path_system'] . 'lib-admin.php' );
--- 288,291 ----
***************
*** 456,460 ****
$navbar->set_selected($LANG25[31] . " 1");
$poll_templates->set_var ('navbar', $navbar->generate());
!
$poll_templates->parse('output','editor');
--- 455,460 ----
$navbar->set_selected($LANG25[31] . " 1");
$poll_templates->set_var ('navbar', $navbar->generate());
! $poll_templates->set_var('gltoken_name', CSRF_TOKEN);
! $poll_templates->set_var('gltoken', SEC_createToken());
$poll_templates->parse('output','editor');
***************
*** 512,516 ****
$display .= editpoll ($pid);
$display .= COM_siteFooter ();
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
$pid = COM_applyFilter ($_POST['pid']);
if (!empty ($pid)) {
--- 512,516 ----
$display .= editpoll ($pid);
$display .= COM_siteFooter ();
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
$pid = COM_applyFilter ($_POST['pid']);
if (!empty ($pid)) {
***************
*** 548,552 ****
$display .= COM_siteFooter ();
}
! } else if (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete'])) {
$pid = '';
if (isset ($_POST['pid'])) {
--- 548,552 ----
$display .= COM_siteFooter ();
}
! } elseif (($mode == $LANG_ADMIN['delete']) && !empty($LANG_ADMIN['delete'])) {
$pid = '';
if (isset ($_POST['pid'])) {
***************
*** 556,561 ****
COM_errorLog ('Ignored possibly manipulated request to delete a poll.');
$display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/polls/index.php');
! } else {
$display .= deletePoll ($pid);
}
} else { // 'cancel' or no mode at all
--- 556,564 ----
COM_errorLog ('Ignored possibly manipulated request to delete a poll.');
$display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/polls/index.php');
! } elseif (SEC_checkToken()) {
$display .= deletePoll ($pid);
+ } else {
+ COM_accessLog("User {$_USER['username']} tried to illegally delete poll $pid and failed CSRF checks.");
+ echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
} else { // 'cancel' or no mode at all
More information about the geeklog-cvs
mailing list