[geeklog-cvs] geeklog: Removed the CSRF token from all links to edit a comment...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Mon Sep 14 11:47:46 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/f2e37d3490c9
changeset: 7314:f2e37d3490c9
user: Dirk Haun <dirk at haun-online.de>
date: Mon Sep 14 16:10:32 2009 +0200
description:
Removed the CSRF token from all links to edit a comment. We only need it in the actual comment editor and it caused problems on the moderation page
diffstat:
public_html/admin/moderation.php | 3 +--
public_html/comment.php | 7 ++-----
public_html/docs/history | 2 ++
system/lib-comment.php | 3 +--
4 files changed, 6 insertions(+), 9 deletions(-)
diffs (59 lines):
diff -r 6e95d3d48652 -r f2e37d3490c9 public_html/admin/moderation.php
--- a/public_html/admin/moderation.php Mon Sep 14 14:55:14 2009 +0200
+++ b/public_html/admin/moderation.php Mon Sep 14 16:10:32 2009 +0200
@@ -316,8 +316,7 @@
. '/index.php?mode=editsubmission&id=' . $A[0];
} elseif ($type == 'comment') {
$A['edit'] = $_CONF['site_url'] . '/comment.php'
- . '?mode=editsubmission&cid=' . $A[0] .
- '&' . CSRF_TOKEN . '=' . $token;
+ . '?mode=editsubmission&cid=' . $A[0];
} else {
$A['edit'] = $_CONF['site_admin_url'] . '/' . $type
. '.php?mode=editsubmission&id=' . $A[0];
diff -r 6e95d3d48652 -r f2e37d3490c9 public_html/comment.php
--- a/public_html/comment.php Mon Sep 14 14:55:14 2009 +0200
+++ b/public_html/comment.php Mon Sep 14 16:10:32 2009 +0200
@@ -404,15 +404,12 @@
case 'editsubmission':
if (!SEC_hasRights('comment.moderate')) {
+ $display .= COM_refresh($_CONF['site_url'] . '/index.php');
break;
}
// deliberate fall-through
case 'edit':
- if (SEC_checkToken()) {
- $display .= handleEdit($mode);
- } else {
- $display .= COM_refresh($_CONF['site_url'] . '/index.php');
- }
+ $display .= handleEdit($mode);
break;
case 'unsubscribe':
diff -r 6e95d3d48652 -r f2e37d3490c9 public_html/docs/history
--- a/public_html/docs/history Mon Sep 14 14:55:14 2009 +0200
+++ b/public_html/docs/history Mon Sep 14 16:10:32 2009 +0200
@@ -3,6 +3,8 @@
Oct ??, 2009 (1.6.1)
------------
+- Removed the CSRF token from all links to edit a comment. We only need it in
+ the actual comment editor and it caused problems on the moderation page [Dirk]
- For anonymous comments, use the anonymous user's name from the database, not
from the language file (cf. bug #0000960) [Dirk]
- The session and password cookies are now created with the HttpOnly flag set
diff -r 6e95d3d48652 -r f2e37d3490c9 system/lib-comment.php
--- a/system/lib-comment.php Mon Sep 14 14:55:14 2009 +0200
+++ b/system/lib-comment.php Mon Sep 14 16:10:32 2009 +0200
@@ -433,8 +433,7 @@
$edit = '';
if ($edit_option) {
$editlink = $_CONF['site_url'] . '/comment.php?mode=edit&cid='
- . $A['cid'] . '&sid=' . $A['sid'] . '&type=' . $type
- . '&' . CSRF_TOKEN . '=' . $token;
+ . $A['cid'] . '&sid=' . $A['sid'] . '&type=' . $type;
$edit = COM_createLink($LANG01[4], $editlink) . ' | ';
}
More information about the geeklog-cvs
mailing list