Changeset 20713


Ignore:
Timestamp:
Feb 12, 2013, 11:11:30 AM (11 years ago)
Author:
plg
Message:

bug 2844: improve security on LocalFiles Editor, add pwg_token to avoid CSRF

Location:
branches/2.4/plugins/LocalFilesEditor
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.4/plugins/LocalFilesEditor/admin.php

    r20712 r20713  
    6767if (isset($_POST['submit']))
    6868{
     69  check_pwg_token();
     70
    6971  if (!is_webmaster())
    7072  {
     
    141143  'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'],
    142144  'LOCALEDIT_PATH' => LOCALEDIT_PATH,
     145  'PWG_TOKEN' => get_pwg_token(),
    143146  'CODEMIRROR_MODE' => @$codemirror_mode
    144147  )
  • branches/2.4/plugins/LocalFilesEditor/template/admin.tpl

    r20712 r20713  
    2828
    2929<form method="post" class="properties" action="{$F_ACTION}" ENCTYPE="multipart/form-data" name="form">
     30<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
    3031
    3132<div id="LocalFilesEditor">
Note: See TracChangeset for help on using the changeset viewer.