Index: /trunk/admin/cat_list.php =================================================================== --- /trunk/admin/cat_list.php (revision 5194) +++ /trunk/admin/cat_list.php (revision 5195) @@ -34,4 +34,9 @@ check_status(ACCESS_ADMINISTRATOR); +if (!empty($_POST) or isset($_GET['delete'])) +{ + check_pwg_token(); +} + // +-----------------------------------------------------------------------+ // | functions | @@ -65,4 +70,6 @@ // +-----------------------------------------------------------------------+ +check_input_parameter('parent_id', $_GET, false, PATTERN_ID); + $categories = array(); @@ -186,4 +193,5 @@ 'CATEGORIES_NAV'=>$navigation, 'F_ACTION'=>$form_action, + 'PWG_TOKEN' => get_pwg_token(), )); @@ -261,4 +269,5 @@ { $tpl_cat['U_DELETE'] = $self_url.'&delete='.$category['id']; + $tpl_cat['U_DELETE'].= '&pwg_token='.get_pwg_token(); } Index: /trunk/admin/element_set.php =================================================================== --- /trunk/admin/element_set.php (revision 5194) +++ /trunk/admin/element_set.php (revision 5195) @@ -40,4 +40,6 @@ check_status(ACCESS_ADMINISTRATOR); +check_input_parameter('selection', $_POST, true, PATTERN_ID); + // +-----------------------------------------------------------------------+ // | caddie management | Index: /trunk/admin/element_set_global.php =================================================================== --- /trunk/admin/element_set_global.php (revision 5194) +++ /trunk/admin/element_set_global.php (revision 5195) @@ -43,4 +43,9 @@ // | deletion form submission | // +-----------------------------------------------------------------------+ + +// the $_POST['selection'] was already checked in element_set.php +check_input_parameter('del_tags', $_POST, true, PATTERN_ID); +check_input_parameter('associate', $_POST, false, PATTERN_ID); +check_input_parameter('dissociate', $_POST, false, PATTERN_ID); if (isset($_POST['delete'])) Index: /trunk/admin/group_list.php =================================================================== --- /trunk/admin/group_list.php (revision 5194) +++ /trunk/admin/group_list.php (revision 5195) @@ -33,4 +33,9 @@ // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); + +if (!empty($_POST) or isset($_GET['delete']) or isset($_GET['toggle_is_default'])) +{ + check_pwg_token(); +} // +-----------------------------------------------------------------------+ @@ -156,4 +161,5 @@ 'F_ADD_ACTION' => get_root_url().'admin.php?page=group_list', 'U_HELP' => get_root_url().'popuphelp.php?page=group_list', + 'PWG_TOKEN' => get_pwg_token(), ) ); @@ -192,7 +198,7 @@ 'MEMBERS' => l10n_dec('%d member', '%d members', $counter), 'U_MEMBERS' => $members_url.$row['id'], - 'U_DELETE' => $del_url.$row['id'], + 'U_DELETE' => $del_url.$row['id'].'&pwg_token='.get_pwg_token(), 'U_PERM' => $perm_url.$row['id'], - 'U_ISDEFAULT' => $toggle_is_default_url.$row['id'] + 'U_ISDEFAULT' => $toggle_is_default_url.$row['id'].'&pwg_token='.get_pwg_token(), ) ); Index: /trunk/admin/include/functions.php =================================================================== --- /trunk/admin/include/functions.php (revision 5194) +++ /trunk/admin/include/functions.php (revision 5195) @@ -23,32 +23,4 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); - -/** - * check token comming from form posted or get params to prevent csrf attacks - * if pwg_token is empty action doesn't require token - * else pwg_token is compare to server token - * - * @return void access denied if token given is not equal to server token - */ -function check_token() -{ - global $conf; - - $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']); - $given_token = null; - - if (!empty($_POST['pwg_token'])) - { - $given_token = $_POST['pwg_token']; - } - elseif (!empty($_GET['pwg_token'])) - { - $given_token = $_GET['pwg_token']; - } - if ($given_token != $valid_token) - { - access_denied(); - } -} // The function delete_site deletes a site and call the function Index: /trunk/admin/include/uploadify/uploadify.php =================================================================== --- /trunk/admin/include/uploadify/uploadify.php (revision 5194) +++ /trunk/admin/include/uploadify/uploadify.php (revision 5195) @@ -9,5 +9,5 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php'); -// check_pwg_token(); +check_pwg_token(); ob_start(); Index: /trunk/admin/photos_add_direct.php =================================================================== --- /trunk/admin/photos_add_direct.php (revision 5194) +++ /trunk/admin/photos_add_direct.php (revision 5195) @@ -31,5 +31,5 @@ if (isset($_GET['batch'])) { - check_input_parameter('batch', $_GET['batch'], false, '/^\d+(,\d+)*$/'); + check_input_parameter('batch', $_GET, false, '/^\d+(,\d+)*$/'); $query = ' @@ -348,5 +348,5 @@ 'upload_id' => md5(rand()), 'session_id' => session_id(), - 'pwg_token' => '1234abcd5678efgh',// get_pwg_token(), + 'pwg_token' => get_pwg_token(), ) ); Index: /trunk/admin/picture_modify.php =================================================================== --- /trunk/admin/picture_modify.php (revision 5194) +++ /trunk/admin/picture_modify.php (revision 5195) @@ -34,4 +34,7 @@ check_status(ACCESS_ADMINISTRATOR); +check_input_parameter('image_id', $_GET, false, PATTERN_ID); +check_input_parameter('cat_id', $_GET, false, PATTERN_ID); + // +-----------------------------------------------------------------------+ // | synchronize metadata | Index: /trunk/admin/plugins_list.php =================================================================== --- /trunk/admin/plugins_list.php (revision 5194) +++ /trunk/admin/plugins_list.php (revision 5195) @@ -33,4 +33,5 @@ $order = isset($_GET['order']) ? $_GET['order'] : 'name'; $base_url = get_root_url().'admin.php?page='.$page['page'].'&order='.$order; +$action_url = $base_url.'&plugin='.'%s'.'&pwg_token='.get_pwg_token(); $plugins = new plugins(); @@ -39,4 +40,6 @@ if (isset($_GET['action']) and isset($_GET['plugin']) and !is_adviser()) { + check_pwg_token(); + $page['errors'] = $plugins->perform_action($_GET['action'], $_GET['plugin']); @@ -97,5 +100,5 @@ 'VERSION' => $fs_plugin['version'], 'DESCRIPTION' => $desc, - 'U_ACTION' => $base_url.'&plugin='.$plugin_id); + 'U_ACTION' => sprintf($action_url, $plugin_id)); if (isset($plugins->db_plugins_by_id[$plugin_id])) @@ -116,6 +119,4 @@ foreach($missing_plugin_ids as $plugin_id) { - $action_url = $base_url.'&plugin='.$plugin_id; - $template->append( 'plugins', array( @@ -123,5 +124,5 @@ 'VERSION' => $plugins->db_plugins_by_id[$plugin_id]['version'], 'DESCRIPTION' => "ERROR: THIS PLUGIN IS MISSING BUT IT IS INSTALLED! UNINSTALL IT NOW !", - 'U_ACTION' => $base_url.'&plugin='.$plugin_id, + 'U_ACTION' => sprintf($action_url, $plugin_id), 'STATE' => 'missing' ) Index: /trunk/admin/plugins_new.php =================================================================== --- /trunk/admin/plugins_new.php (revision 5194) +++ /trunk/admin/plugins_new.php (revision 5195) @@ -39,4 +39,6 @@ if (isset($_GET['revision']) and isset($_GET['extension']) and !is_adviser()) { + check_pwg_token(); + $install_status = $plugins->extract_plugin_files('install', $_GET['revision'], $_GET['extension']); @@ -111,5 +113,7 @@ $url_auto_install = htmlentities($base_url) . '&revision=' . $plugin['revision_id'] - . '&extension=' . $plugin['extension_id']; + . '&extension=' . $plugin['extension_id'] + . '&pwg_token='.get_pwg_token() + ; $template->append('plugins', array( Index: /trunk/admin/plugins_update.php =================================================================== --- /trunk/admin/plugins_update.php (revision 5194) +++ /trunk/admin/plugins_update.php (revision 5195) @@ -38,4 +38,6 @@ if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser()) { + check_pwg_token(); + $plugin_id = $_GET['plugin']; $revision = $_GET['revision']; @@ -49,4 +51,5 @@ . '&revision=' . $revision . '&plugin=' . $plugin_id + . '&pwg_token='.get_pwg_token() . '&reactivate=true'); } @@ -134,5 +137,7 @@ $url_auto_update = $base_url . '&revision=' . $plugin_info['revision_id'] - . '&plugin=' . $plugin_id; + . '&plugin=' . $plugin_id + . '&pwg_token='.get_pwg_token() + ; $template->append('plugins_not_uptodate', array( Index: /trunk/admin/site_manager.php =================================================================== --- /trunk/admin/site_manager.php (revision 5194) +++ /trunk/admin/site_manager.php (revision 5195) @@ -33,4 +33,9 @@ // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); + +if (!empty($_POST) or isset($_GET['action'])) +{ + check_pwg_token(); +} /** @@ -199,9 +204,11 @@ } -$template->assign( array( - 'U_HELP' => get_root_url().'popuphelp.php?page=site_manager', - 'F_ACTION' => get_root_url().'admin.php' - .get_query_string_diff( array('action','site') ) - ) ); +$template->assign( + array( + 'U_HELP' => get_root_url().'popuphelp.php?page=site_manager', + 'F_ACTION' => get_root_url().'admin.php'.get_query_string_diff(array('action','site','pwg_token')), + 'PWG_TOKEN' => get_pwg_token(), + ) + ); // +-----------------------------------------------------------------------+ @@ -243,4 +250,5 @@ $base_url.= '?page=site_manager'; $base_url.= '&site='.$row['id']; + $base_url.= '&pwg_token='.get_pwg_token(); $base_url.= '&action='; Index: /trunk/admin/tags.php =================================================================== --- /trunk/admin/tags.php (revision 5194) +++ /trunk/admin/tags.php (revision 5195) @@ -29,4 +29,9 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); check_status(ACCESS_ADMINISTRATOR); + +if (!empty($_POST)) +{ + check_pwg_token(); +} // +-----------------------------------------------------------------------+ @@ -190,5 +195,6 @@ $template->assign( array( - 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags' + 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags', + 'PWG_TOKEN' => get_pwg_token(), ) ); Index: /trunk/admin/themes/default/template/cat_list.tpl =================================================================== --- /trunk/admin/themes/default/template/cat_list.tpl (revision 5194) +++ /trunk/admin/themes/default/template/cat_list.tpl (revision 5195) @@ -27,4 +27,5 @@