[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/calendar index.php, 1.34, 1.35
Dirk Haun
dhaun at qs1489.pair.com
Thu May 22 13:01:56 EDT 2008
- Previous message (by thread): [geeklog-cvs] Geeklog-1.x/plugins/calendar/templates addevent.thtml, 1.9, 1.10 editpersonalevent.thtml, 1.7, 1.8 submitevent.thtml, 1.12, 1.13
- Next message (by thread): [geeklog-cvs] Geeklog-1.x/public_html/calendar event.php, 1.28, 1.29 index.php, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/calendar
In directory qs1489.pair.com:/tmp/cvs-serv43032/public_html/admin/plugins/calendar
Modified Files:
index.php
Log Message:
More CSRF protection; also fixed some E_ALL warnings and some cosmetic issues
Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/calendar/index.php,v
retrieving revision 1.34
retrieving revision 1.35
diff -C2 -d -r1.34 -r1.35
*** index.php 22 May 2008 13:23:59 -0000 1.34
--- index.php 22 May 2008 17:01:54 -0000 1.35
***************
*** 72,76 ****
*
*/
-
function CALENDAR_editEvent ($mode, $A, $msg = '')
{
--- 72,75 ----
***************
*** 330,333 ****
--- 329,334 ----
$event_templates->set_var('lang_permissionskey', $LANG_ACCESS['permissionskey']);
$event_templates->set_var('permissions_editor', SEC_getPermissionsHTML($A['perm_owner'],$A['perm_group'],$A['perm_members'],$A['perm_anon']));
+ $event_templates->set_var('gltoken_name', CSRF_TOKEN);
+ $event_templates->set_var('gltoken', SEC_createToken());
$event_templates->parse('output', 'editor');
$retval .= $event_templates->finish($event_templates->get_var('output'));
***************
*** 573,578 ****
$mode = $_REQUEST['mode'];
}
! if (isset($_POST["delbutton_x"])) {
! $mode = batchdeleteexec;
}
--- 574,579 ----
$mode = $_REQUEST['mode'];
}
! if (isset($_POST['delbutton_x'])) {
! $mode = 'batchdeleteexec';
}
***************
*** 580,587 ****
$eid = COM_applyFilter ($_REQUEST['eid']);
if (!isset ($eid) || empty ($eid) || ($eid == 0)) {
! COM_errorLog ('Attempted to delete event eid=\''
! . $eid . "'");
! $display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/calendar/index.php');
! } else {
$type = '';
if (isset($_POST['type'])) {
--- 581,588 ----
$eid = COM_applyFilter ($_REQUEST['eid']);
if (!isset ($eid) || empty ($eid) || ($eid == 0)) {
! COM_errorLog ('Attempted to delete event eid=\'' . $eid . "'");
! $display .= COM_refresh($_CONF['site_admin_url']
! . '/plugins/calendar/index.php');
! } elseif(SEC_checkToken()) {
$type = '';
if (isset($_POST['type'])) {
***************
*** 589,594 ****
}
$display .= CALENDAR_deleteEvent($eid, $type);
}
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
if (!isset ($_POST['allday'])) {
$_POST['allday'] = '';
--- 590,598 ----
}
$display .= CALENDAR_deleteEvent($eid, $type);
+ } else {
+ COM_accessLog("User {$_USER['username']} tried to illegally delete event $eid and failed CSRF checks.");
+ echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } elseif (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save']) && SEC_checkToken()) {
if (!isset ($_POST['allday'])) {
$_POST['allday'] = '';
***************
*** 673,677 ****
$display .= CALENDAR_listOld();
$display .= COM_siteFooter ();
! } else if ($mode == 'batchdeleteexec') {
$msg = CALENDAR_deleteOld();
$display .= COM_siteHeader ('menu', $LANG_CAL_ADMIN[11])
--- 677,681 ----
$display .= CALENDAR_listOld();
$display .= COM_siteFooter ();
! } elseif (($mode == 'batchdeleteexec') && SEC_checkToken()) {
$msg = CALENDAR_deleteOld();
$display .= COM_siteHeader ('menu', $LANG_CAL_ADMIN[11])
- Previous message (by thread): [geeklog-cvs] Geeklog-1.x/plugins/calendar/templates addevent.thtml, 1.9, 1.10 editpersonalevent.thtml, 1.7, 1.8 submitevent.thtml, 1.12, 1.13
- Next message (by thread): [geeklog-cvs] Geeklog-1.x/public_html/calendar event.php, 1.28, 1.29 index.php, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the geeklog-cvs
mailing list