[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/polls index.php, 1.54, 1.55

[Dirk Haun]

Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/polls
In directory qs1489.pair.com:/tmp/cvs-serv27308/public_html/admin/plugins/polls

Modified Files:
	index.php 
Log Message:
More CSRF protection


Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/polls/index.php,v
retrieving revision 1.54
retrieving revision 1.55
diff -C2 -d -r1.54 -r1.55
*** index.php	17 May 2008 18:53:27 -0000	1.54
--- index.php	18 May 2008 16:58:51 -0000	1.55
***************
*** 288,292 ****
      $retval = '';
  
- 
      // writing the menu on top
      require_once( $_CONF['path_system'] . 'lib-admin.php' );
--- 288,291 ----
***************
*** 456,460 ****
      $navbar->set_selected($LANG25[31] . " 1");
      $poll_templates->set_var ('navbar', $navbar->generate());
! 
  
      $poll_templates->parse('output','editor');
--- 455,460 ----
      $navbar->set_selected($LANG25[31] . " 1");
      $poll_templates->set_var ('navbar', $navbar->generate());
!     $poll_templates->set_var('gltoken_name', CSRF_TOKEN);
!     $poll_templates->set_var('gltoken', SEC_createToken());
  
      $poll_templates->parse('output','editor');
***************
*** 512,516 ****
      $display .= editpoll ($pid);
      $display .= COM_siteFooter ();
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
      $pid = COM_applyFilter ($_POST['pid']);
      if (!empty ($pid)) {
--- 512,516 ----
      $display .= editpoll ($pid);
      $display .= COM_siteFooter ();
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
      $pid = COM_applyFilter ($_POST['pid']);
      if (!empty ($pid)) {
***************
*** 548,552 ****
          $display .= COM_siteFooter ();
      }
! } else if (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete'])) {
      $pid = '';
      if (isset ($_POST['pid'])) {
--- 548,552 ----
          $display .= COM_siteFooter ();
      }
! } elseif (($mode == $LANG_ADMIN['delete']) && !empty($LANG_ADMIN['delete'])) {
      $pid = '';
      if (isset ($_POST['pid'])) {
***************
*** 556,561 ****
          COM_errorLog ('Ignored possibly manipulated request to delete a poll.');
          $display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/polls/index.php');
!     } else {
          $display .= deletePoll ($pid);
      }
  } else { // 'cancel' or no mode at all
--- 556,564 ----
          COM_errorLog ('Ignored possibly manipulated request to delete a poll.');
          $display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/polls/index.php');
!     } elseif (SEC_checkToken()) {
          $display .= deletePoll ($pid);
+     } else {
+         COM_accessLog("User {$_USER['username']} tried to illegally delete poll $pid and failed CSRF checks.");
+         echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
      }
  } else { // 'cancel' or no mode at all