[geeklog-cvs] geeklog: Removed the CSRF token from all links to edit a comment...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Mon Sep 14 11:47:46 EDT 2009 

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/f2e37d3490c9
changeset: 7314:f2e37d3490c9
user:      Dirk Haun <dirk at haun-online.de>
date:      Mon Sep 14 16:10:32 2009 +0200
description:
Removed the CSRF token from all links to edit a comment. We only need it in the actual comment editor and it caused problems on the moderation page

diffstat:

 public_html/admin/moderation.php |  3 +--
 public_html/comment.php          |  7 ++-----
 public_html/docs/history         |  2 ++
 system/lib-comment.php           |  3 +--
 4 files changed, 6 insertions(+), 9 deletions(-)

diffs (59 lines):

diff -r 6e95d3d48652 -r f2e37d3490c9 public_html/admin/moderation.php
--- a/public_html/admin/moderation.php	Mon Sep 14 14:55:14 2009 +0200
+++ b/public_html/admin/moderation.php	Mon Sep 14 16:10:32 2009 +0200
@@ -316,8 +316,7 @@
                      . '/index.php?mode=editsubmission&id=' . $A[0];
         } elseif ($type == 'comment') {
             $A['edit'] = $_CONF['site_url'] . '/comment.php'
-                    . '?mode=editsubmission&cid=' . $A[0] .
-                    '&' . CSRF_TOKEN . '=' . $token;
+                    . '?mode=editsubmission&cid=' . $A[0];
         } else {
             $A['edit'] = $_CONF['site_admin_url'] . '/' .  $type
                      . '.php?mode=editsubmission&id=' . $A[0];
diff -r 6e95d3d48652 -r f2e37d3490c9 public_html/comment.php
--- a/public_html/comment.php	Mon Sep 14 14:55:14 2009 +0200
+++ b/public_html/comment.php	Mon Sep 14 16:10:32 2009 +0200
@@ -404,15 +404,12 @@
 
 case 'editsubmission':
     if (!SEC_hasRights('comment.moderate')) { 
+        $display .= COM_refresh($_CONF['site_url'] . '/index.php');
         break; 
     }
     // deliberate fall-through
 case 'edit':
-    if (SEC_checkToken()) {
-        $display .= handleEdit($mode);
-    } else {
-        $display .= COM_refresh($_CONF['site_url'] . '/index.php');
-    }
+    $display .= handleEdit($mode);
     break;
 
 case 'unsubscribe':
diff -r 6e95d3d48652 -r f2e37d3490c9 public_html/docs/history
--- a/public_html/docs/history	Mon Sep 14 14:55:14 2009 +0200
+++ b/public_html/docs/history	Mon Sep 14 16:10:32 2009 +0200
@@ -3,6 +3,8 @@
 Oct ??, 2009 (1.6.1)
 ------------
 
+- Removed the CSRF token from all links to edit a comment. We only need it in
+  the actual comment editor and it caused problems on the moderation page [Dirk]
 - For anonymous comments, use the anonymous user's name from the database, not
   from the language file (cf. bug #0000960) [Dirk]
 - The session and password cookies are now created with the HttpOnly flag set
diff -r 6e95d3d48652 -r f2e37d3490c9 system/lib-comment.php
--- a/system/lib-comment.php	Mon Sep 14 14:55:14 2009 +0200
+++ b/system/lib-comment.php	Mon Sep 14 16:10:32 2009 +0200
@@ -433,8 +433,7 @@
         $edit = '';
         if ($edit_option) {
             $editlink = $_CONF['site_url'] . '/comment.php?mode=edit&cid='
-                . $A['cid'] . '&sid=' . $A['sid'] . '&type=' . $type
-                . '&' . CSRF_TOKEN . '=' . $token;
+                . $A['cid'] . '&sid=' . $A['sid'] . '&type=' . $type;
             $edit = COM_createLink($LANG01[4], $editlink) . ' | ';
         }

More information about the geeklog-cvs mailing list