[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/polls index.php, 1.55, 1.56
Dirk Haun
dhaun at qs1489.pair.com
Fri May 23 16:13:32 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/polls
In directory qs1489.pair.com:/tmp/cvs-serv55326/public_html/admin/plugins/polls
Modified Files:
index.php
Log Message:
Check the token inside savepoll so user can use the back button in case of missing fields
Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/polls/index.php,v
retrieving revision 1.55
retrieving revision 1.56
diff -C2 -d -r1.55 -r1.56
*** index.php 18 May 2008 16:58:51 -0000 1.55
--- index.php 23 May 2008 20:13:30 -0000 1.56
***************
*** 65,69 ****
global $_CONF, $_TABLES, $_IMAGE_TYPE, $LANG_ADMIN, $LANG25, $LANG_ACCESS;
! require_once( $_CONF['path_system'] . 'lib-admin.php' );
$retval = '';
--- 65,69 ----
global $_CONF, $_TABLES, $_IMAGE_TYPE, $LANG_ADMIN, $LANG25, $LANG_ACCESS;
! require_once $_CONF['path_system'] . 'lib-admin.php';
$retval = '';
***************
*** 82,86 ****
// writing the actual list
! $header_arr = array( # dislay 'text' and use table field 'field'
array('text' => $LANG_ADMIN['edit'], 'field' => 'edit', 'sort' => false),
array('text' => $LANG25[9], 'field' => 'topic', 'sort' => true),
--- 82,86 ----
// writing the actual list
! $header_arr = array( # display 'text' and use table field 'field'
array('text' => $LANG_ADMIN['edit'], 'field' => 'edit', 'sort' => false),
array('text' => $LANG25[9], 'field' => 'topic', 'sort' => true),
***************
*** 120,131 ****
* Saves a poll topic and potential answers to the database
*
! * @param string $pid topic ID
! * @param int $display Flag to indicate if poll appears on homepage
! * @param string $topic The text for the topic
! * @param int $voters Number of votes
* @param int $statuscode (unused)
* @param int $commentcode Indicates if users can comment on poll
* @param array $A Array of possible answers
* @param array $V Array of vote per each answer
* @param int $owner_id ID of poll owner
* @param int $group_id ID of group poll belongs to
--- 120,134 ----
* Saves a poll topic and potential answers to the database
*
! * @param string $pid Poll topic ID
! * @param array $Q Array of poll questions
! * @param string $mainpage Checkbox: poll appears on homepage
! * @param string $topic The text for the topic
* @param int $statuscode (unused)
+ * @param string $open Checkbox: poll open for voting
+ * @param string $hideresults Checkbox: hide results until closed
* @param int $commentcode Indicates if users can comment on poll
* @param array $A Array of possible answers
* @param array $V Array of vote per each answer
+ * @param array $R Array of remark per each answer
* @param int $owner_id ID of poll owner
* @param int $group_id ID of group poll belongs to
***************
*** 137,154 ****
*
*/
! function savepoll ($pid, $Q, $mainpage, $topic, $statuscode, $open, $hideresults,
! $commentcode, $A, $V, $R, $owner_id, $group_id, $perm_owner,
! $perm_group, $perm_members, $perm_anon)
{
! global $_CONF, $_TABLES, $LANG21, $LANG25, $MESSAGE, $_POLL_VERBOSE, $_PO_CONF;
$retval = '';
// Convert array values to numeric permission values
list($perm_owner,$perm_group,$perm_members,$perm_anon) = SEC_getPermissionValues($perm_owner,$perm_group,$perm_members,$perm_anon);
! $pid = COM_sanitizeID ($pid);
! $topic = COM_stripslashes ($topic);
// check if any question was entered
! if (empty ($topic) or (sizeof ($Q) == 0) or strlen ($Q[0]) == 0 or strlen ($A[0][0]) == 0){
$retval .= COM_siteHeader ('menu', $LANG25[5]);
$retval .= COM_startBlock ($LANG21[32], '',
--- 140,162 ----
*
*/
! function savepoll($pid, $Q, $mainpage, $topic, $statuscode, $open, $hideresults,
! $commentcode, $A, $V, $R, $owner_id, $group_id, $perm_owner,
! $perm_group, $perm_members, $perm_anon)
{
! global $_CONF, $_TABLES, $_USER, $LANG21, $LANG25, $MESSAGE, $_POLL_VERBOSE,
! $_PO_CONF;
!
$retval = '';
+
// Convert array values to numeric permission values
list($perm_owner,$perm_group,$perm_members,$perm_anon) = SEC_getPermissionValues($perm_owner,$perm_group,$perm_members,$perm_anon);
! $pid = COM_sanitizeID($pid);
! $topic = COM_stripslashes($topic);
!
// check if any question was entered
! if (empty($topic) or (sizeof($Q) == 0) or (strlen($Q[0]) == 0) or
! (strlen($A[0][0]) == 0)) {
$retval .= COM_siteHeader ('menu', $LANG25[5]);
$retval .= COM_startBlock ($LANG21[32], '',
***************
*** 159,162 ****
--- 167,177 ----
return $retval;
}
+
+ if (!SEC_checkToken()) {
+ COM_accessLog("User {$_USER['username']} tried to save poll $pid and failed CSRF checks.");
+ return COM_refresh($_CONF['site_admin_url']
+ . '/plugins/polls/index.php');
+ }
+
// start processing the poll topic
if ($_POLL_VERBOSE) {
***************
*** 512,516 ****
$display .= editpoll ($pid);
$display .= COM_siteFooter ();
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
$pid = COM_applyFilter ($_POST['pid']);
if (!empty ($pid)) {
--- 527,531 ----
$display .= editpoll ($pid);
$display .= COM_siteFooter ();
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save'])) {
$pid = COM_applyFilter ($_POST['pid']);
if (!empty ($pid)) {
More information about the geeklog-cvs
mailing list