[geeklog-cvs] Geeklog-1.x/public_html/admin/plugins/calendar index.php, 1.35, 1.36
Dirk Haun
dhaun at qs1489.pair.com
Fri May 23 16:24:59 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/calendar
In directory qs1489.pair.com:/tmp/cvs-serv55791/public_html/admin/plugins/calendar
Modified Files:
index.php
Log Message:
Check the token inside CALENDAR_saveEvent so user can use the back button in case of missing fields
Index: index.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/plugins/calendar/index.php,v
retrieving revision 1.35
retrieving revision 1.36
diff -C2 -d -r1.35 -r1.36
*** index.php 22 May 2008 17:01:54 -0000 1.35
--- index.php 23 May 2008 20:24:57 -0000 1.36
***************
*** 341,358 ****
* Saves an event to the database
*
! * @param string $eid Event ID
! * @param string $title Event Title
! * @param string $url URL for the event
! * @param string $datestart Date the event begins on
! * @param string $dateend Date the event ends on
! * @param string $location Where the event will be held at
! * @param string $description Description about the event
! * @param string $postmode Is this HTML or plain text?
! * @param string $owner_id ID of owner
! * @param string $group_id ID of group event belongs to
! * @param string $perm_owner Permissions the owner has on event
! * @param string $perm_group Permissions the groups has on the event
! * @param string $perm_members Permisssions members have on the event
! * @param string $perm_anon Permissions anonymous users have
* @return string HTML redirect or error message
*
--- 341,345 ----
* Saves an event to the database
*
! * (parameters should be obvious - old list was incomplete anyway)
* @return string HTML redirect or error message
*
***************
*** 519,522 ****
--- 506,515 ----
if (!empty ($eid) AND !empty ($description) AND !empty ($title)) {
+ if (!SEC_checkToken()) {
+ COM_accessLog("User {$_USER['username']} tried to save event $eid and failed CSRF checks.");
+ return COM_refresh($_CONF['site_admin_url']
+ . '/plugins/calendar/index.php');
+ }
+
DB_delete ($_TABLES['eventsubmission'], 'eid', $eid);
***************
*** 584,588 ****
$display .= COM_refresh($_CONF['site_admin_url']
. '/plugins/calendar/index.php');
! } elseif(SEC_checkToken()) {
$type = '';
if (isset($_POST['type'])) {
--- 577,581 ----
$display .= COM_refresh($_CONF['site_admin_url']
. '/plugins/calendar/index.php');
! } elseif (SEC_checkToken()) {
$type = '';
if (isset($_POST['type'])) {
***************
*** 594,598 ****
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } elseif (($mode == $LANG_ADMIN['save']) && !empty ($LANG_ADMIN['save']) && SEC_checkToken()) {
if (!isset ($_POST['allday'])) {
$_POST['allday'] = '';
--- 587,591 ----
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
! } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save'])) {
if (!isset ($_POST['allday'])) {
$_POST['allday'] = '';
More information about the geeklog-cvs
mailing list