Navigation Menu

Skip to content

Commit

Permalink
merge r20713 from branch 2.4 to trunk
Browse files Browse the repository at this point in the history 
bug 2844: improve security on LocalFiles Editor, add pwg_token to avoid CSRF



git-svn-id: http://piwigo.org/svn/trunk@20715 68402e56-0260-453c-a942-63ccdbb3a9ee
  • Loading branch information
@plegall
plegall committed Feb 12, 2013
1 parent 8a7952a commit 758f29e
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
3 changes: 3 additions & 0 deletions plugins/LocalFilesEditor/admin.php
View file
Expand Up @@ -66,6 +66,8 @@
// +-----------------------------------------------------------------------+
if (isset($_POST['submit']))
{
check_pwg_token();

if (!is_webmaster())
{
array_push($page['errors'], l10n('locfiledit_webmaster_only'));
Expand Down Expand Up @@ -140,6 +142,7 @@
$template->assign(array(
'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'],
'LOCALEDIT_PATH' => LOCALEDIT_PATH,
'PWG_TOKEN' => get_pwg_token(),
'CODEMIRROR_MODE' => @$codemirror_mode
)
);
Expand Down
1 change: 1 addition & 0 deletions plugins/LocalFilesEditor/template/admin.tpl
View file
Expand Up @@ -27,6 +27,7 @@ if (document.getElementById("text") != null)
</div>

<form method="post" class="properties" action="{$F_ACTION}" ENCTYPE="multipart/form-data" name="form">
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">

<div id="LocalFilesEditor">

Expand Down

0 comments on commit 758f29e

Please sign in to comment.