bug 1328: backport the pwg_token on trunk

bug 1329: backport the check_input_parameter on trunk

feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).

git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee

admin/cat_list.php

@@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST) or isset($_GET['delete']))
+{
+  check_pwg_token();
+}
+
 // +-----------------------------------------------------------------------+
 // |                               functions                               |
 // +-----------------------------------------------------------------------+
@@ -64,6 +69,8 @@ function save_categories_order($categories)
 // |                            initialization                             |
 // +-----------------------------------------------------------------------+
 
+check_input_parameter('parent_id', $_GET, false, PATTERN_ID);
+
 $categories = array();
 
 $base_url = get_root_url().'admin.php?page=cat_list';
@@ -185,6 +192,7 @@ if (isset($_GET['parent_id']))
 $template->assign(array(
   'CATEGORIES_NAV'=>$navigation,
   'F_ACTION'=>$form_action,
+  'PWG_TOKEN' => get_pwg_token(),
  ));
 
 // +-----------------------------------------------------------------------+
@@ -260,6 +268,7 @@ foreach ($categories as $category)
   if (empty($category['dir']))
   {
     $tpl_cat['U_DELETE'] = $self_url.'&delete='.$category['id'];
+    $tpl_cat['U_DELETE'].= '&pwg_token='.get_pwg_token();
   }
 
   if ( array_key_exists($category['id'], $categories_with_images) )

admin/element_set.php

@@ -39,6 +39,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('selection', $_POST, true, PATTERN_ID);
+
 // +-----------------------------------------------------------------------+
 // |                          caddie management                            |
 // +-----------------------------------------------------------------------+

admin/element_set_global.php

@@ -43,6 +43,11 @@ check_status(ACCESS_ADMINISTRATOR);
 // |                         deletion form submission                      |
 // +-----------------------------------------------------------------------+
 
+// the $_POST['selection'] was already checked in element_set.php
+check_input_parameter('del_tags', $_POST, true, PATTERN_ID);
+check_input_parameter('associate', $_POST, false, PATTERN_ID);
+check_input_parameter('dissociate', $_POST, false, PATTERN_ID);
+
 if (isset($_POST['delete']))
 {
   if (isset($_POST['confirm_deletion']) and 1 == $_POST['confirm_deletion'])

admin/group_list.php

@@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST) or isset($_GET['delete']) or isset($_GET['toggle_is_default']))
+{
+  check_pwg_token();
+}
+
 // +-----------------------------------------------------------------------+
 // |                             delete a group                            |
 // +-----------------------------------------------------------------------+
@@ -155,6 +160,7 @@ $template->assign(
   array(
     'F_ADD_ACTION' => get_root_url().'admin.php?page=group_list',
     'U_HELP' => get_root_url().'popuphelp.php?page=group_list',
+    'PWG_TOKEN' => get_pwg_token(),
     )
   );
 
@@ -191,9 +197,9 @@ SELECT COUNT(*)
       'IS_DEFAULT' => (get_boolean($row['is_default']) ? ' ['.l10n('default').']' : ''),
       'MEMBERS' => l10n_dec('%d member', '%d members', $counter),
       'U_MEMBERS' => $members_url.$row['id'],
-      'U_DELETE' => $del_url.$row['id'],
+      'U_DELETE' => $del_url.$row['id'].'&pwg_token='.get_pwg_token(),
       'U_PERM' => $perm_url.$row['id'],
-      'U_ISDEFAULT' => $toggle_is_default_url.$row['id']
+      'U_ISDEFAULT' => $toggle_is_default_url.$row['id'].'&pwg_token='.get_pwg_token(),
       )
     );
 }

admin/include/functions.php

@@ -23,34 +23,6 @@
 
 include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
 
-/**
- * check token comming from form posted or get params to prevent csrf attacks
- * if pwg_token is empty action doesn't require token
- * else pwg_token is compare to server token
- *
- * @return void access denied if token given is not equal to server token 
- */
-function check_token()
-{
-  global $conf;
-
-  $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
-  $given_token = null;
-
-  if (!empty($_POST['pwg_token']))
-  {
-    $given_token = $_POST['pwg_token'];
-  }
-  elseif (!empty($_GET['pwg_token']))
-  {
-    $given_token = $_GET['pwg_token'];
-  }
-  if ($given_token != $valid_token)
-  {
-    access_denied();    
-  }
-}
-
 // The function delete_site deletes a site and call the function
 // delete_categories for each primary category of the site
 function delete_site( $id )

admin/include/uploadify/uploadify.php

@@ -8,7 +8,7 @@ include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
 include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php');
 
-// check_pwg_token();
+check_pwg_token();
 
 ob_start();
 print_r($_FILES);

admin/photos_add_direct.php

@@ -30,7 +30,7 @@ if (!defined('PHOTOS_ADD_BASE_URL'))
 
 if (isset($_GET['batch']))
 {
-  check_input_parameter('batch', $_GET['batch'], false, '/^\d+(,\d+)*$/');
+  check_input_parameter('batch', $_GET, false, '/^\d+(,\d+)*$/');
 
   $query = '
 DELETE FROM '.CADDIE_TABLE.'
@@ -347,7 +347,7 @@ $template->assign(
       'switch_url' => PHOTOS_ADD_BASE_URL.'&upload_mode='.$upload_switch,
       'upload_id' => md5(rand()),
       'session_id' => session_id(),
-      'pwg_token' => '1234abcd5678efgh',// get_pwg_token(),
+      'pwg_token' => get_pwg_token(),
     )
   );
 

admin/picture_modify.php

@@ -33,6 +33,9 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('image_id', $_GET, false, PATTERN_ID);
+check_input_parameter('cat_id', $_GET, false, PATTERN_ID);
+
 // +-----------------------------------------------------------------------+
 // |                          synchronize metadata                         |
 // +-----------------------------------------------------------------------+

admin/plugins_list.php

@@ -32,12 +32,15 @@ $template->set_filenames(array('plugins' => 'plugins_list.tpl'));
 
 $order = isset($_GET['order']) ? $_GET['order'] : 'name';
 $base_url = get_root_url().'admin.php?page='.$page['page'].'&order='.$order;
+$action_url = $base_url.'&plugin='.'%s'.'&pwg_token='.get_pwg_token();
 
 $plugins = new plugins();
 
 //--------------------------------------------------perform requested actions
 if (isset($_GET['action']) and isset($_GET['plugin']) and !is_adviser())
 {
+  check_pwg_token();
+  
   $page['errors'] = $plugins->perform_action($_GET['action'], $_GET['plugin']);
 
   if (empty($page['errors']))
@@ -96,7 +99,7 @@ foreach($plugins->fs_plugins as $plugin_id => $fs_plugin)
     array('NAME' => $display_name,
           'VERSION' => $fs_plugin['version'],
           'DESCRIPTION' => $desc,
-          'U_ACTION' => $base_url.'&plugin='.$plugin_id);
+          'U_ACTION' => sprintf($action_url, $plugin_id));
 
   if (isset($plugins->db_plugins_by_id[$plugin_id]))
   {
@@ -115,14 +118,12 @@ $missing_plugin_ids = array_diff(
 
 foreach($missing_plugin_ids as $plugin_id)
 {
-  $action_url = $base_url.'&plugin='.$plugin_id;
-
   $template->append( 'plugins',
       array(
         'NAME' => $plugin_id,
         'VERSION' => $plugins->db_plugins_by_id[$plugin_id]['version'],
         'DESCRIPTION' => "ERROR: THIS PLUGIN IS MISSING BUT IT IS INSTALLED! UNINSTALL IT NOW !",
-        'U_ACTION' => $base_url.'&plugin='.$plugin_id,
+        'U_ACTION' => sprintf($action_url, $plugin_id),
         'STATE' => 'missing'
       )
     );

admin/plugins_new.php

@@ -38,6 +38,8 @@ $plugins = new plugins();
 //------------------------------------------------------automatic installation
 if (isset($_GET['revision']) and isset($_GET['extension']) and !is_adviser())
 {
+  check_pwg_token();
+  
   $install_status = $plugins->extract_plugin_files('install', $_GET['revision'], $_GET['extension']);
 
   redirect($base_url.'&installstatus='.$install_status);
@@ -110,7 +112,9 @@ if ($plugins->get_server_plugins(true))
 
     $url_auto_install = htmlentities($base_url)
       . '&revision=' . $plugin['revision_id']
-      . '&extension=' . $plugin['extension_id'];
+      . '&extension=' . $plugin['extension_id']
+      . '&pwg_token='.get_pwg_token()
+    ;
 
     $template->append('plugins', array(
       'EXT_NAME' => $plugin['extension_name'],

admin/plugins_update.php

@@ -37,6 +37,8 @@ $plugins = new plugins();
 //-----------------------------------------------------------automatic upgrade
 if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser())
 {
+  check_pwg_token();
+  
   $plugin_id = $_GET['plugin'];
   $revision = $_GET['revision'];
 
@@ -48,6 +50,7 @@ if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser())
     redirect($base_url
       . '&revision=' . $revision
       . '&plugin=' . $plugin_id
+      . '&pwg_token='.get_pwg_token()
       . '&reactivate=true');
   }
 
@@ -133,7 +136,9 @@ if ($plugins->get_server_plugins())
         // Plugin need upgrade
         $url_auto_update = $base_url
           . '&revision=' . $plugin_info['revision_id']
-          . '&plugin=' . $plugin_id;
+          . '&plugin=' . $plugin_id
+          . '&pwg_token='.get_pwg_token()
+          ;
 
         $template->append('plugins_not_uptodate', array(
           'EXT_NAME' => $fs_plugin['name'],

admin/site_manager.php

@@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST) or isset($_GET['action']))
+{
+  check_pwg_token();
+}
+
 /**
  * requests the given $url (a remote create_listing_file.php) and fills a
  * list of lines corresponding to request output
@@ -198,11 +203,13 @@ SELECT galleries_url
   }
 }
 
-$template->assign( array(
-  'U_HELP'    => get_root_url().'popuphelp.php?page=site_manager',
-  'F_ACTION'  => get_root_url().'admin.php'
-                .get_query_string_diff( array('action','site') )
-  ) );
+$template->assign(
+  array(
+    'U_HELP'    => get_root_url().'popuphelp.php?page=site_manager',
+    'F_ACTION'  => get_root_url().'admin.php'.get_query_string_diff(array('action','site','pwg_token')),
+    'PWG_TOKEN' => get_pwg_token(),
+    )
+  );
 
 // +-----------------------------------------------------------------------+
 // |                           remote sites list                           |
@@ -242,6 +249,7 @@ while ($row = pwg_db_fetch_assoc($result))
   $base_url = PHPWG_ROOT_PATH.'admin.php';
   $base_url.= '?page=site_manager';
   $base_url.= '&site='.$row['id'];
+  $base_url.= '&pwg_token='.get_pwg_token();
   $base_url.= '&action=';
 
   $update_url = PHPWG_ROOT_PATH.'admin.php';

admin/tags.php

@@ -29,6 +29,11 @@ if( !defined("PHPWG_ROOT_PATH") )
 include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST))
+{
+  check_pwg_token();
+}
+
 // +-----------------------------------------------------------------------+
 // |                                edit tags                              |
 // +-----------------------------------------------------------------------+
@@ -189,7 +194,8 @@ $template->set_filenames(array('tags' => 'tags.tpl'));
 
 $template->assign(
   array(
-    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags'
+    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags',
+    'PWG_TOKEN' => get_pwg_token(),
     )
   );
 

admin/themes/default/template/cat_list.tpl

@@ -26,6 +26,7 @@
 <h3>{$CATEGORIES_NAV}</h3>
 
 <form id="addVirtual" action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     {'Add a virtual category'|@translate} : <input type="text" name="virtual_name">
     <input class="submit" type="submit" value="{'Submit'|@translate}" name="submitAdd" {$TAG_INPUT_ENABLED}>
@@ -38,6 +39,7 @@
 
 {if count($categories) }
 <form id="categoryOrdering" action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     <input class="submit" name="submitOrder" type="submit" value="{'Save order'|@translate}" {$TAG_INPUT_ENABLED}>
     <input class="submit" name="submitOrderAlphaNum" type="submit" value="{'Order alphanumerically'|@translate}" {$TAG_INPUT_ENABLED}>

admin/themes/default/template/group_list.tpl

@@ -3,6 +3,7 @@
 </div>
 
 <form method="post" name="add_user" action="{$F_ADD_ACTION}" class="properties">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <fieldset>
     <legend>{'Add group'|@translate}</legend>
 

admin/themes/default/template/site_manager.tpl

@@ -16,6 +16,7 @@
 {'A local listing.xml file has been found for '|@translate} {$local_listing.URL}
 {if isset($local_listing.CREATE)}
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     {'Create this site'|@translate}:
     <input type="hidden" name="no_check" value="1">
@@ -63,6 +64,7 @@
 {/if}
 
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     <label for="galleries_url" >{'Create a new site : (give its URL to create_listing_file.php)'|@translate}</label>
     <input type="text" name="galleries_url" id="galleries_url">

admin/themes/default/template/tags.tpl

@@ -3,6 +3,7 @@
 </div>
 
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
 
   {if isset($EDIT_TAGS_LIST)}
   <fieldset>