[geeklog-cvs] Geeklog-1.x/system lib-comment.php,1.64,1.65
Dirk Haun
dhaun at qs1489.pair.com
Fri May 23 06:50:53 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv25132/system
Modified Files:
lib-comment.php
Log Message:
More CSRF protection
Index: lib-comment.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-comment.php,v
retrieving revision 1.64
retrieving revision 1.65
diff -C2 -d -r1.64 -r1.65
*** lib-comment.php 16 Apr 2008 11:13:36 -0000 1.64
--- lib-comment.php 23 May 2008 10:50:50 -0000 1.65
***************
*** 43,47 ****
{
// only needed for the USER_getPhoto function
! require_once ($_CONF['path_system'] . 'lib-user.php');
}
--- 43,47 ----
{
// only needed for the USER_getPhoto function
! require_once $_CONF['path_system'] . 'lib-user.php';
}
***************
*** 270,273 ****
--- 270,278 ----
}
+ $token = '';
+ if ($delete_option && !$preview) {
+ $token = SEC_createToken();
+ }
+
$row = 1;
do {
***************
*** 376,380 ****
if( $delete_option ) {
$dellink = $_CONF['site_url'] . '/comment.php?mode=delete&cid='
! . $A['cid'] . '&sid=' . $A['sid'] . '&type=' . $type;
$delattr = array('onclick' => "return confirm('{$MESSAGE[76]}');");
$deloption = COM_createLink( $LANG01[28], $dellink, $delattr) . ' | ';
--- 381,386 ----
if( $delete_option ) {
$dellink = $_CONF['site_url'] . '/comment.php?mode=delete&cid='
! . $A['cid'] . '&sid=' . $A['sid'] . '&type=' . $type
! . '&' . CSRF_TOKEN . '=' . $token;
$delattr = array('onclick' => "return confirm('{$MESSAGE[76]}');");
$deloption = COM_createLink( $LANG01[28], $dellink, $delattr) . ' | ';
***************
*** 769,773 ****
$comment_template->set_file('form','commentform.thtml');
}
! $comment_template->set_var( 'xhtml', XHTML );
$comment_template->set_var('site_url', $_CONF['site_url']);
$comment_template->set_var('site_admin_url', $_CONF['site_admin_url']);
--- 775,779 ----
$comment_template->set_file('form','commentform.thtml');
}
! $comment_template->set_var('xhtml', XHTML);
$comment_template->set_var('site_url', $_CONF['site_url']);
$comment_template->set_var('site_admin_url', $_CONF['site_admin_url']);
***************
*** 1108,1112 ****
$loginreq = new Template ($_CONF['path_layout'] . 'submit');
$loginreq->set_file ('loginreq', 'submitloginrequired.thtml');
! $loginreq->set_var ( 'xhtml', XHTML );
$loginreq->set_var ('login_message', $LANG_LOGIN[2]);
$loginreq->set_var ('site_url', $_CONF['site_url']);
--- 1114,1118 ----
$loginreq = new Template ($_CONF['path_layout'] . 'submit');
$loginreq->set_file ('loginreq', 'submitloginrequired.thtml');
! $loginreq->set_var ('xhtml', XHTML);
$loginreq->set_var ('login_message', $LANG_LOGIN[2]);
$loginreq->set_var ('site_url', $_CONF['site_url']);
***************
*** 1131,1148 ****
}
! $start = new Template ($_CONF['path_layout'] . 'comment');
! $start->set_file (array ('report' => 'reportcomment.thtml'));
! $start->set_var ( 'xhtml', XHTML );
! $start->set_var ('site_url', $_CONF['site_url']);
! $start->set_var ('layout_url', $_CONF['layout_url']);
! $start->set_var ('lang_report_this', $LANG03[25]);
! $start->set_var ('lang_send_report', $LANG03[10]);
! $start->set_var ('cid', $cid);
! $start->set_var ('type', $type);
$result = DB_query ("SELECT uid,sid,pid,title,comment,UNIX_TIMESTAMP(date) AS nice_date FROM {$_TABLES['comments']} WHERE cid = $cid AND type = '$type'");
$A = DB_fetchArray ($result);
! $result = DB_query ("SELECT username,fullname,photo FROM {$_TABLES['users']} WHERE uid = {$A['uid']}");
$B = DB_fetchArray ($result);
--- 1137,1156 ----
}
! $start = new Template($_CONF['path_layout'] . 'comment');
! $start->set_file(array('report' => 'reportcomment.thtml'));
! $start->set_var('xhtml', XHTML);
! $start->set_var('site_url', $_CONF['site_url']);
! $start->set_var('layout_url', $_CONF['layout_url']);
! $start->set_var('lang_report_this', $LANG03[25]);
! $start->set_var('lang_send_report', $LANG03[10]);
! $start->set_var('cid', $cid);
! $start->set_var('type', $type);
! $start->set_var('gltoken_name', CSRF_TOKEN);
! $start->set_var('gltoken', SEC_createToken());
$result = DB_query ("SELECT uid,sid,pid,title,comment,UNIX_TIMESTAMP(date) AS nice_date FROM {$_TABLES['comments']} WHERE cid = $cid AND type = '$type'");
$A = DB_fetchArray ($result);
! $result = DB_query ("SELECT username,fullname,photo,email FROM {$_TABLES['users']} WHERE uid = {$A['uid']}");
$B = DB_fetchArray ($result);
***************
*** 1153,1156 ****
--- 1161,1165 ----
$A['fullname'] = $B['fullname'];
$A['photo'] = $B['photo'];
+ $A['email'] = $B['email'];
$A['indent'] = 0;
$A['pindent'] = 0;
***************
*** 1183,1187 ****
$loginreq = new Template ($_CONF['path_layout'] . 'submit');
$loginreq->set_file ('loginreq', 'submitloginrequired.thtml');
! $loginreq->set_var ( 'xhtml', XHTML );
$loginreq->set_var ('login_message', $LANG_LOGIN[2]);
$loginreq->set_var ('site_url', $_CONF['site_url']);
--- 1192,1196 ----
$loginreq = new Template ($_CONF['path_layout'] . 'submit');
$loginreq->set_file ('loginreq', 'submitloginrequired.thtml');
! $loginreq->set_var ('xhtml', XHTML);
$loginreq->set_var ('login_message', $LANG_LOGIN[2]);
$loginreq->set_var ('site_url', $_CONF['site_url']);
***************
*** 1238,1242 ****
$mailbody .= $LANG08[33] . ' <' . $_CONF['site_url']
! . '/comment.php?mode=view&cid=' . $cid . ">\n\n";
$mailbody .= "\n------------------------------\n";
--- 1247,1251 ----
$mailbody .= $LANG08[33] . ' <' . $_CONF['site_url']
! . '/comment.php?mode=view&cid=' . $cid . ">\n\n";
$mailbody .= "\n------------------------------\n";
More information about the geeklog-cvs
mailing list