[geeklog-cvs] Geeklog-1.x/system lib-trackback.php,1.50,1.51
Dirk Haun
dhaun at qs1489.pair.com
Fri May 23 07:23:45 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv29565/system
Modified Files:
lib-trackback.php
Log Message:
More CSRF protection
Index: lib-trackback.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-trackback.php,v
retrieving revision 1.50
retrieving revision 1.51
diff -C2 -d -r1.50 -r1.51
*** lib-trackback.php 25 Nov 2007 06:55:07 -0000 1.50
--- lib-trackback.php 23 May 2008 11:23:43 -0000 1.51
***************
*** 3,7 ****
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
! // | Geeklog 1.4 |
// +---------------------------------------------------------------------------+
// | lib-trackback.php |
--- 3,7 ----
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
! // | Geeklog 1.5 |
// +---------------------------------------------------------------------------+
// | lib-trackback.php |
***************
*** 9,13 ****
// | Functions needed to handle trackback comments. |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2005-2007 by the following authors: |
// | |
// | Author: Dirk Haun - dirk AT haun-online DOT de |
--- 9,13 ----
// | Functions needed to handle trackback comments. |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2005-2008 by the following authors: |
// | |
// | Author: Dirk Haun - dirk AT haun-online DOT de |
***************
*** 32,43 ****
// $Id$
! if (strpos ($_SERVER['PHP_SELF'], 'lib-trackback.php') !== false) {
! die ('This file can not be used on its own!');
}
// result codes for TRB_saveTrackbackComment
! define ('TRB_SAVE_OK', 0);
! define ('TRB_SAVE_SPAM', -1);
! define ('TRB_SAVE_REJECT', -2);
// set to true to log rejected Trackbacks
--- 32,43 ----
// $Id$
! if (strpos($_SERVER['PHP_SELF'], 'lib-trackback.php') !== false) {
! die('This file can not be used on its own!');
}
// result codes for TRB_saveTrackbackComment
! define('TRB_SAVE_OK', 0);
! define('TRB_SAVE_SPAM', -1);
! define('TRB_SAVE_REJECT', -2);
// set to true to log rejected Trackbacks
***************
*** 346,353 ****
* @param string $cid id of this trackback comment
* @param string $ipaddress IP address the comment was sent from
* @return string HTML of the formatted trackback comment
*
*/
! function TRB_formatComment ($url, $title = '', $blog = '', $excerpt = '', $date = 0, $delete_option = false, $cid = '', $ipaddress = '')
{
global $_CONF, $LANG01, $LANG_TRB, $MESSAGE;
--- 346,354 ----
* @param string $cid id of this trackback comment
* @param string $ipaddress IP address the comment was sent from
+ * @param string $token security token
* @return string HTML of the formatted trackback comment
*
*/
! function TRB_formatComment ($url, $title = '', $blog = '', $excerpt = '', $date = 0, $delete_option = false, $cid = '', $ipaddress = '', $token = '')
{
global $_CONF, $LANG01, $LANG_TRB, $MESSAGE;
***************
*** 404,410 ****
if ($delete_option) {
$deloption .= '[ ';
! $deloption .= COM_createLink(
! $LANG01[28],
! $_CONF['site_admin_url'] . '/trackback.php?mode=delete&cid=' . $cid,
array('onclick'=> "return confirm('{$MESSAGE[76]}');")
);
--- 405,411 ----
if ($delete_option) {
$deloption .= '[ ';
! $deloption .= COM_createLink($LANG01[28], $_CONF['site_admin_url']
! . '/trackback.php?mode=delete&cid=' . $cid . '&'
! . CSRF_TOKEN . '=' . $token,
array('onclick'=> "return confirm('{$MESSAGE[76]}');")
);
***************
*** 420,425 ****
}
$template->set_var ('delete_option', $deloption);
-
$template->parse ('output', 'comment');
return $template->finish ($template->get_var ('output'));
}
--- 421,426 ----
}
$template->set_var ('delete_option', $deloption);
$template->parse ('output', 'comment');
+
return $template->finish ($template->get_var ('output'));
}
***************
*** 716,719 ****
--- 717,724 ----
$delete_option = TRB_allowDelete ($sid, $type);
+ $token = '';
+ if ($delete_option && ($numrows > 0)) {
+ $token = SEC_createToken();
+ }
for ($i = 0; $i < $numrows; $i++) {
***************
*** 721,725 ****
$comment = TRB_formatComment ($A['url'], $A['title'], $A['blog'],
$A['excerpt'], $A['day'], $delete_option, $A['cid'],
! $A['ipaddress']);
$template->set_var ('formatted_comment', $comment);
$template->parse ('trackback_comments', 'comment', true);
--- 726,730 ----
$comment = TRB_formatComment ($A['url'], $A['title'], $A['blog'],
$A['excerpt'], $A['day'], $delete_option, $A['cid'],
! $A['ipaddress'], $token);
$template->set_var ('formatted_comment', $comment);
$template->parse ('trackback_comments', 'comment', true);
***************
*** 933,937 ****
} else {
$mailsubject = $_CONF['site_name'] . ' ' . $LANG_TRB['trackback'];
- $mailbody .= "\n" . $LANG_TRB['delete_trackback'] . "<" . $_CONF['site_admin_url'] . '/trackback.php?mode=delete&cid=' . $cid . ">\n";
}
--- 938,941 ----
More information about the geeklog-cvs
mailing list