Changeset 5195 for trunk/admin


Ignore:
Timestamp:
Mar 19, 2010, 11:25:39 PM (15 years ago)
Author:
plg
Message:

bug 1328: backport the pwg_token on trunk

bug 1329: backport the check_input_parameter on trunk

feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).

Location:
trunk/admin
Files:
17 edited

Legend:

Unmodified
Added
Removed

  • trunk/admin/cat_list.php

    r5193 r5195  
    3434check_status(ACCESS_ADMINISTRATOR);
    3535
     36if (!empty($_POST) or isset($_GET['delete']))
     37{
     38  check_pwg_token();
     39}
     40
    3641// +-----------------------------------------------------------------------+
    3742// |                               functions                               |
     
    6570// +-----------------------------------------------------------------------+
    6671
     72check_input_parameter('parent_id', $_GET, false, PATTERN_ID);
     73
    6774$categories = array();
    6875
     
    186193  'CATEGORIES_NAV'=>$navigation,
    187194  'F_ACTION'=>$form_action,
     195  'PWG_TOKEN' => get_pwg_token(),
    188196 ));
    189197
     
    261269  {
    262270    $tpl_cat['U_DELETE'] = $self_url.'&delete='.$category['id'];
     271    $tpl_cat['U_DELETE'].= '&pwg_token='.get_pwg_token();
    263272  }
    264273

  • trunk/admin/element_set.php

    r5021 r5195  
    4040check_status(ACCESS_ADMINISTRATOR);
    4141
     42check_input_parameter('selection', $_POST, true, PATTERN_ID);
     43
    4244// +-----------------------------------------------------------------------+
    4345// |                          caddie management                            |

  • trunk/admin/element_set_global.php

    r5188 r5195  
    4343// |                         deletion form submission                      |
    4444// +-----------------------------------------------------------------------+
     45
     46// the $_POST['selection'] was already checked in element_set.php
     47check_input_parameter('del_tags', $_POST, true, PATTERN_ID);
     48check_input_parameter('associate', $_POST, false, PATTERN_ID);
     49check_input_parameter('dissociate', $_POST, false, PATTERN_ID);
    4550
    4651if (isset($_POST['delete']))

  • trunk/admin/group_list.php

    r5036 r5195  
    3333// +-----------------------------------------------------------------------+
    3434check_status(ACCESS_ADMINISTRATOR);
     35
     36if (!empty($_POST) or isset($_GET['delete']) or isset($_GET['toggle_is_default']))
     37{
     38  check_pwg_token();
     39}
    3540
    3641// +-----------------------------------------------------------------------+
     
    156161    'F_ADD_ACTION' => get_root_url().'admin.php?page=group_list',
    157162    'U_HELP' => get_root_url().'popuphelp.php?page=group_list',
     163    'PWG_TOKEN' => get_pwg_token(),
    158164    )
    159165  );
     
    192198      'MEMBERS' => l10n_dec('%d member', '%d members', $counter),
    193199      'U_MEMBERS' => $members_url.$row['id'],
    194       'U_DELETE' => $del_url.$row['id'],
     200      'U_DELETE' => $del_url.$row['id'].'&pwg_token='.get_pwg_token(),
    195201      'U_PERM' => $perm_url.$row['id'],
    196       'U_ISDEFAULT' => $toggle_is_default_url.$row['id']
     202      'U_ISDEFAULT' => $toggle_is_default_url.$row['id'].'&pwg_token='.get_pwg_token(),
    197203      )
    198204    );

  • trunk/admin/include/functions.php

    r5188 r5195  
    2323
    2424include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
    25 
    26 /**
    27  * check token comming from form posted or get params to prevent csrf attacks
    28  * if pwg_token is empty action doesn't require token
    29  * else pwg_token is compare to server token
    30  *
    31  * @return void access denied if token given is not equal to server token
    32  */
    33 function check_token()
    34 {
    35   global $conf;
    36 
    37   $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
    38   $given_token = null;
    39 
    40   if (!empty($_POST['pwg_token']))
    41   {
    42     $given_token = $_POST['pwg_token'];
    43   }
    44   elseif (!empty($_GET['pwg_token']))
    45   {
    46     $given_token = $_GET['pwg_token'];
    47   }
    48   if ($given_token != $valid_token)
    49   {
    50     access_denied();   
    51   }
    52 }
    5325
    5426// The function delete_site deletes a site and call the function

  • trunk/admin/include/uploadify/uploadify.php

    r5089 r5195  
    99include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php');
    1010
    11 // check_pwg_token();
     11check_pwg_token();
    1212
    1313ob_start();

  • trunk/admin/photos_add_direct.php

    r5089 r5195  
    3131if (isset($_GET['batch']))
    3232{
    33   check_input_parameter('batch', $_GET['batch'], false, '/^\d+(,\d+)*$/');
     33  check_input_parameter('batch', $_GET, false, '/^\d+(,\d+)*$/');
    3434
    3535  $query = '
     
    348348      'upload_id' => md5(rand()),
    349349      'session_id' => session_id(),
    350       'pwg_token' => '1234abcd5678efgh',// get_pwg_token(),
     350      'pwg_token' => get_pwg_token(),
    351351    )
    352352  );

  • trunk/admin/picture_modify.php

    r5188 r5195  
    3434check_status(ACCESS_ADMINISTRATOR);
    3535
     36check_input_parameter('image_id', $_GET, false, PATTERN_ID);
     37check_input_parameter('cat_id', $_GET, false, PATTERN_ID);
     38
    3639// +-----------------------------------------------------------------------+
    3740// |                          synchronize metadata                         |

  • trunk/admin/plugins_list.php

    r3950 r5195  
    3333$order = isset($_GET['order']) ? $_GET['order'] : 'name';
    3434$base_url = get_root_url().'admin.php?page='.$page['page'].'&order='.$order;
     35$action_url = $base_url.'&plugin='.'%s'.'&pwg_token='.get_pwg_token();
    3536
    3637$plugins = new plugins();
     
    3940if (isset($_GET['action']) and isset($_GET['plugin']) and !is_adviser())
    4041{
     42  check_pwg_token();
     43 
    4144  $page['errors'] = $plugins->perform_action($_GET['action'], $_GET['plugin']);
    4245
     
    97100          'VERSION' => $fs_plugin['version'],
    98101          'DESCRIPTION' => $desc,
    99           'U_ACTION' => $base_url.'&plugin='.$plugin_id);
     102          'U_ACTION' => sprintf($action_url, $plugin_id));
    100103
    101104  if (isset($plugins->db_plugins_by_id[$plugin_id]))
     
    116119foreach($missing_plugin_ids as $plugin_id)
    117120{
    118   $action_url = $base_url.'&plugin='.$plugin_id;
    119 
    120121  $template->append( 'plugins',
    121122      array(
     
    123124        'VERSION' => $plugins->db_plugins_by_id[$plugin_id]['version'],
    124125        'DESCRIPTION' => "ERROR: THIS PLUGIN IS MISSING BUT IT IS INSTALLED! UNINSTALL IT NOW !",
    125         'U_ACTION' => $base_url.'&plugin='.$plugin_id,
     126        'U_ACTION' => sprintf($action_url, $plugin_id),
    126127        'STATE' => 'missing'
    127128      )

  • trunk/admin/plugins_new.php

    r5021 r5195  
    3939if (isset($_GET['revision']) and isset($_GET['extension']) and !is_adviser())
    4040{
     41  check_pwg_token();
     42 
    4143  $install_status = $plugins->extract_plugin_files('install', $_GET['revision'], $_GET['extension']);
    4244
     
    111113    $url_auto_install = htmlentities($base_url)
    112114      . '&revision=' . $plugin['revision_id']
    113       . '&extension=' . $plugin['extension_id'];
     115      . '&extension=' . $plugin['extension_id']
     116      . '&pwg_token='.get_pwg_token()
     117    ;
    114118
    115119    $template->append('plugins', array(

  • trunk/admin/plugins_update.php

    r5039 r5195  
    3838if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser())
    3939{
     40  check_pwg_token();
     41 
    4042  $plugin_id = $_GET['plugin'];
    4143  $revision = $_GET['revision'];
     
    4951      . '&revision=' . $revision
    5052      . '&plugin=' . $plugin_id
     53      . '&pwg_token='.get_pwg_token()
    5154      . '&reactivate=true');
    5255  }
     
    134137        $url_auto_update = $base_url
    135138          . '&revision=' . $plugin_info['revision_id']
    136           . '&plugin=' . $plugin_id;
     139          . '&plugin=' . $plugin_id
     140          . '&pwg_token='.get_pwg_token()
     141          ;
    137142
    138143        $template->append('plugins_not_uptodate', array(

  • trunk/admin/site_manager.php

    r5036 r5195  
    3333// +-----------------------------------------------------------------------+
    3434check_status(ACCESS_ADMINISTRATOR);
     35
     36if (!empty($_POST) or isset($_GET['action']))
     37{
     38  check_pwg_token();
     39}
    3540
    3641/**
     
    199204}
    200205
    201 $template->assign( array(
    202   'U_HELP'    => get_root_url().'popuphelp.php?page=site_manager',
    203   'F_ACTION'  => get_root_url().'admin.php'
    204                 .get_query_string_diff( array('action','site') )
    205   ) );
     206$template->assign(
     207  array(
     208    'U_HELP'    => get_root_url().'popuphelp.php?page=site_manager',
     209    'F_ACTION'  => get_root_url().'admin.php'.get_query_string_diff(array('action','site','pwg_token')),
     210    'PWG_TOKEN' => get_pwg_token(),
     211    )
     212  );
    206213
    207214// +-----------------------------------------------------------------------+
     
    243250  $base_url.= '?page=site_manager';
    244251  $base_url.= '&site='.$row['id'];
     252  $base_url.= '&pwg_token='.get_pwg_token();
    245253  $base_url.= '&action=';
    246254

  • trunk/admin/tags.php

    r5036 r5195  
    2929include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
    3030check_status(ACCESS_ADMINISTRATOR);
     31
     32if (!empty($_POST))
     33{
     34  check_pwg_token();
     35}
    3136
    3237// +-----------------------------------------------------------------------+
     
    190195$template->assign(
    191196  array(
    192     'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags'
     197    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags',
     198    'PWG_TOKEN' => get_pwg_token(),
    193199    )
    194200  );

  • trunk/admin/themes/default/template/cat_list.tpl

    r5193 r5195  
    2727
    2828<form id="addVirtual" action="{$F_ACTION}" method="post">
     29  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
    2930  <p>
    3031    {'Add a virtual category'|@translate} : <input type="text" name="virtual_name">
     
    3940{if count($categories) }
    4041<form id="categoryOrdering" action="{$F_ACTION}" method="post">
     42  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
    4143  <p>
    4244    <input class="submit" name="submitOrder" type="submit" value="{'Save order'|@translate}" {$TAG_INPUT_ENABLED}>

  • trunk/admin/themes/default/template/group_list.tpl

    r5123 r5195  
    44
    55<form method="post" name="add_user" action="{$F_ADD_ACTION}" class="properties">
     6  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
    67  <fieldset>
    78    <legend>{'Add group'|@translate}</legend>

  • trunk/admin/themes/default/template/site_manager.tpl

    r5178 r5195  
    1717{if isset($local_listing.CREATE)}
    1818<form action="{$F_ACTION}" method="post">
     19  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
    1920  <p>
    2021    {'Create this site'|@translate}:
     
    6465
    6566<form action="{$F_ACTION}" method="post">
     67  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
    6668  <p>
    6769    <label for="galleries_url" >{'Create a new site : (give its URL to create_listing_file.php)'|@translate}</label>

  • trunk/admin/themes/default/template/tags.tpl

    r5123 r5195  
    44
    55<form action="{$F_ACTION}" method="post">
     6  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
    67
    78  {if isset($EDIT_TAGS_LIST)}
Note: See TracChangeset for help on using the changeset viewer.