[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/calendar index.php, 1.34, 1.35

Dirk Haun dhaun at qs1489.pair.com
Thu May 22 13:01:56 EDT 2008 

Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/calendar
In directory qs1489.pair.com:/tmp/cvs-serv43032/public_html/admin/plugins/calendar

Modified Files:
	index.php 
Log Message:
More CSRF protection; also fixed some E_ALL warnings and some cosmetic issues


Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/calendar/index.php,v
retrieving revision 1.34
retrieving revision 1.35
diff -C2 -d -r1.34 -r1.35
*** index.php	22 May 2008 13:23:59 -0000	1.34
--- index.php	22 May 2008 17:01:54 -0000	1.35
***************
*** 72,76 ****
  *
  */
- 
  function CALENDAR_editEvent ($mode, $A, $msg = '')
  {
--- 72,75 ----
***************
*** 330,333 ****
--- 329,334 ----
      $event_templates->set_var('lang_permissionskey', $LANG_ACCESS['permissionskey']);
      $event_templates->set_var('permissions_editor', SEC_getPermissionsHTML($A['perm_owner'],$A['perm_group'],$A['perm_members'],$A['perm_anon']));
+     $event_templates->set_var('gltoken_name', CSRF_TOKEN);
+     $event_templates->set_var('gltoken', SEC_createToken());
      $event_templates->parse('output', 'editor');
      $retval .= $event_templates->finish($event_templates->get_var('output'));
***************
*** 573,578 ****
      $mode = $_REQUEST['mode'];
  }
! if (isset($_POST["delbutton_x"])) {
!     $mode = batchdeleteexec;
  }
  
--- 574,579 ----
      $mode = $_REQUEST['mode'];
  }
! if (isset($_POST['delbutton_x'])) {
!     $mode = 'batchdeleteexec';
  }
  
***************
*** 580,587 ****
      $eid = COM_applyFilter ($_REQUEST['eid']);
      if (!isset ($eid) || empty ($eid) || ($eid == 0)) {
!         COM_errorLog ('Attempted to delete event eid=\''
!                       . $eid . "'");
!         $display .= COM_refresh ($_CONF['site_admin_url'] . '/plugins/calendar/index.php');
!     } else {
          $type = '';
          if (isset($_POST['type'])) {
--- 581,588 ----
      $eid = COM_applyFilter ($_REQUEST['eid']);
      if (!isset ($eid) || empty ($eid) || ($eid == 0)) {
!         COM_errorLog ('Attempted to delete event eid=\'' . $eid . "'");
!         $display .= COM_refresh($_CONF['site_admin_url']
!                                 . '/plugins/calendar/index.php');
!     } elseif(SEC_checkToken()) {
          $type = '';
          if (isset($_POST['type'])) {
***************
*** 589,594 ****
          }
          $display .= CALENDAR_deleteEvent($eid, $type);
      }
! } else if (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save'])) {
      if (!isset ($_POST['allday'])) {
          $_POST['allday'] = '';
--- 590,598 ----
          }
          $display .= CALENDAR_deleteEvent($eid, $type);
+     } else {
+         COM_accessLog("User {$_USER['username']} tried to illegally delete event $eid and failed CSRF checks.");
+         echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
      }
! } elseif (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save']) && SEC_checkToken()) {
      if (!isset ($_POST['allday'])) {
          $_POST['allday'] = '';
***************
*** 673,677 ****
      $display .= CALENDAR_listOld();
      $display .= COM_siteFooter ();
! } else if ($mode == 'batchdeleteexec') {
      $msg = CALENDAR_deleteOld();
      $display .= COM_siteHeader ('menu', $LANG_CAL_ADMIN[11])
--- 677,681 ----
      $display .= CALENDAR_listOld();
      $display .= COM_siteFooter ();
! } elseif (($mode == 'batchdeleteexec') && SEC_checkToken()) {
      $msg = CALENDAR_deleteOld();
      $display .= COM_siteHeader ('menu', $LANG_CAL_ADMIN[11])

More information about the geeklog-cvs mailing list