diff options
author | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
commit | c695136e4d75695178a9fc848a7cf6bfa2b9346c (patch) | |
tree | efba21de4995d7bd6b2f792e6d118a8e6e6bd405 /admin | |
parent | ff7e537e2b4bceaef241096a377d12af4b917c43 (diff) |
bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk
feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).
git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'admin')
-rw-r--r-- | admin/cat_list.php | 9 | ||||
-rw-r--r-- | admin/element_set.php | 2 | ||||
-rw-r--r-- | admin/element_set_global.php | 5 | ||||
-rw-r--r-- | admin/group_list.php | 10 | ||||
-rw-r--r-- | admin/include/functions.php | 28 | ||||
-rw-r--r-- | admin/include/uploadify/uploadify.php | 2 | ||||
-rw-r--r-- | admin/photos_add_direct.php | 4 | ||||
-rw-r--r-- | admin/picture_modify.php | 3 | ||||
-rw-r--r-- | admin/plugins_list.php | 9 | ||||
-rw-r--r-- | admin/plugins_new.php | 6 | ||||
-rw-r--r-- | admin/plugins_update.php | 7 | ||||
-rw-r--r-- | admin/site_manager.php | 18 | ||||
-rw-r--r-- | admin/tags.php | 8 | ||||
-rw-r--r-- | admin/themes/default/template/cat_list.tpl | 2 | ||||
-rw-r--r-- | admin/themes/default/template/group_list.tpl | 1 | ||||
-rw-r--r-- | admin/themes/default/template/site_manager.tpl | 2 | ||||
-rw-r--r-- | admin/themes/default/template/tags.tpl | 1 |
17 files changed, 72 insertions, 45 deletions
diff --git a/admin/cat_list.php b/admin/cat_list.php index 7168b3fd0..5aadeb3c2 100644 --- a/admin/cat_list.php +++ b/admin/cat_list.php @@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +if (!empty($_POST) or isset($_GET['delete'])) +{ + check_pwg_token(); +} + // +-----------------------------------------------------------------------+ // | functions | // +-----------------------------------------------------------------------+ @@ -64,6 +69,8 @@ function save_categories_order($categories) // | initialization | // +-----------------------------------------------------------------------+ +check_input_parameter('parent_id', $_GET, false, PATTERN_ID); + $categories = array(); $base_url = get_root_url().'admin.php?page=cat_list'; @@ -185,6 +192,7 @@ if (isset($_GET['parent_id'])) $template->assign(array( 'CATEGORIES_NAV'=>$navigation, 'F_ACTION'=>$form_action, + 'PWG_TOKEN' => get_pwg_token(), )); // +-----------------------------------------------------------------------+ @@ -260,6 +268,7 @@ foreach ($categories as $category) if (empty($category['dir'])) { $tpl_cat['U_DELETE'] = $self_url.'&delete='.$category['id']; + $tpl_cat['U_DELETE'].= '&pwg_token='.get_pwg_token(); } if ( array_key_exists($category['id'], $categories_with_images) ) diff --git a/admin/element_set.php b/admin/element_set.php index 49b1b2377..1b5e88719 100644 --- a/admin/element_set.php +++ b/admin/element_set.php @@ -39,6 +39,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +check_input_parameter('selection', $_POST, true, PATTERN_ID); + // +-----------------------------------------------------------------------+ // | caddie management | // +-----------------------------------------------------------------------+ diff --git a/admin/element_set_global.php b/admin/element_set_global.php index 113b5b1f8..73cc720b0 100644 --- a/admin/element_set_global.php +++ b/admin/element_set_global.php @@ -43,6 +43,11 @@ check_status(ACCESS_ADMINISTRATOR); // | deletion form submission | // +-----------------------------------------------------------------------+ +// the $_POST['selection'] was already checked in element_set.php +check_input_parameter('del_tags', $_POST, true, PATTERN_ID); +check_input_parameter('associate', $_POST, false, PATTERN_ID); +check_input_parameter('dissociate', $_POST, false, PATTERN_ID); + if (isset($_POST['delete'])) { if (isset($_POST['confirm_deletion']) and 1 == $_POST['confirm_deletion']) diff --git a/admin/group_list.php b/admin/group_list.php index 416d78bb9..7c42d9613 100644 --- a/admin/group_list.php +++ b/admin/group_list.php @@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +if (!empty($_POST) or isset($_GET['delete']) or isset($_GET['toggle_is_default'])) +{ + check_pwg_token(); +} + // +-----------------------------------------------------------------------+ // | delete a group | // +-----------------------------------------------------------------------+ @@ -155,6 +160,7 @@ $template->assign( array( 'F_ADD_ACTION' => get_root_url().'admin.php?page=group_list', 'U_HELP' => get_root_url().'popuphelp.php?page=group_list', + 'PWG_TOKEN' => get_pwg_token(), ) ); @@ -191,9 +197,9 @@ SELECT COUNT(*) 'IS_DEFAULT' => (get_boolean($row['is_default']) ? ' ['.l10n('default').']' : ''), 'MEMBERS' => l10n_dec('%d member', '%d members', $counter), 'U_MEMBERS' => $members_url.$row['id'], - 'U_DELETE' => $del_url.$row['id'], + 'U_DELETE' => $del_url.$row['id'].'&pwg_token='.get_pwg_token(), 'U_PERM' => $perm_url.$row['id'], - 'U_ISDEFAULT' => $toggle_is_default_url.$row['id'] + 'U_ISDEFAULT' => $toggle_is_default_url.$row['id'].'&pwg_token='.get_pwg_token(), ) ); } diff --git a/admin/include/functions.php b/admin/include/functions.php index c7b8bf5f1..e3522702f 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -23,34 +23,6 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); -/** - * check token comming from form posted or get params to prevent csrf attacks - * if pwg_token is empty action doesn't require token - * else pwg_token is compare to server token - * - * @return void access denied if token given is not equal to server token - */ -function check_token() -{ - global $conf; - - $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']); - $given_token = null; - - if (!empty($_POST['pwg_token'])) - { - $given_token = $_POST['pwg_token']; - } - elseif (!empty($_GET['pwg_token'])) - { - $given_token = $_GET['pwg_token']; - } - if ($given_token != $valid_token) - { - access_denied(); - } -} - // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site function delete_site( $id ) diff --git a/admin/include/uploadify/uploadify.php b/admin/include/uploadify/uploadify.php index eddcc12b0..306b492da 100644 --- a/admin/include/uploadify/uploadify.php +++ b/admin/include/uploadify/uploadify.php @@ -8,7 +8,7 @@ include_once(PHPWG_ROOT_PATH.'include/common.inc.php'); include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php'); -// check_pwg_token(); +check_pwg_token(); ob_start(); print_r($_FILES); diff --git a/admin/photos_add_direct.php b/admin/photos_add_direct.php index 4fceb6b12..0c24fc6ef 100644 --- a/admin/photos_add_direct.php +++ b/admin/photos_add_direct.php @@ -30,7 +30,7 @@ if (!defined('PHOTOS_ADD_BASE_URL')) if (isset($_GET['batch'])) { - check_input_parameter('batch', $_GET['batch'], false, '/^\d+(,\d+)*$/'); + check_input_parameter('batch', $_GET, false, '/^\d+(,\d+)*$/'); $query = ' DELETE FROM '.CADDIE_TABLE.' @@ -347,7 +347,7 @@ $template->assign( 'switch_url' => PHOTOS_ADD_BASE_URL.'&upload_mode='.$upload_switch, 'upload_id' => md5(rand()), 'session_id' => session_id(), - 'pwg_token' => '1234abcd5678efgh',// get_pwg_token(), + 'pwg_token' => get_pwg_token(), ) ); diff --git a/admin/picture_modify.php b/admin/picture_modify.php index e33447f70..e61a324e7 100644 --- a/admin/picture_modify.php +++ b/admin/picture_modify.php @@ -33,6 +33,9 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +check_input_parameter('image_id', $_GET, false, PATTERN_ID); +check_input_parameter('cat_id', $_GET, false, PATTERN_ID); + // +-----------------------------------------------------------------------+ // | synchronize metadata | // +-----------------------------------------------------------------------+ diff --git a/admin/plugins_list.php b/admin/plugins_list.php index 2b12f171c..2f0eab1b2 100644 --- a/admin/plugins_list.php +++ b/admin/plugins_list.php @@ -32,12 +32,15 @@ $template->set_filenames(array('plugins' => 'plugins_list.tpl')); $order = isset($_GET['order']) ? $_GET['order'] : 'name'; $base_url = get_root_url().'admin.php?page='.$page['page'].'&order='.$order; +$action_url = $base_url.'&plugin='.'%s'.'&pwg_token='.get_pwg_token(); $plugins = new plugins(); //--------------------------------------------------perform requested actions if (isset($_GET['action']) and isset($_GET['plugin']) and !is_adviser()) { + check_pwg_token(); + $page['errors'] = $plugins->perform_action($_GET['action'], $_GET['plugin']); if (empty($page['errors'])) @@ -96,7 +99,7 @@ foreach($plugins->fs_plugins as $plugin_id => $fs_plugin) array('NAME' => $display_name, 'VERSION' => $fs_plugin['version'], 'DESCRIPTION' => $desc, - 'U_ACTION' => $base_url.'&plugin='.$plugin_id); + 'U_ACTION' => sprintf($action_url, $plugin_id)); if (isset($plugins->db_plugins_by_id[$plugin_id])) { @@ -115,14 +118,12 @@ $missing_plugin_ids = array_diff( foreach($missing_plugin_ids as $plugin_id) { - $action_url = $base_url.'&plugin='.$plugin_id; - $template->append( 'plugins', array( 'NAME' => $plugin_id, 'VERSION' => $plugins->db_plugins_by_id[$plugin_id]['version'], 'DESCRIPTION' => "ERROR: THIS PLUGIN IS MISSING BUT IT IS INSTALLED! UNINSTALL IT NOW !", - 'U_ACTION' => $base_url.'&plugin='.$plugin_id, + 'U_ACTION' => sprintf($action_url, $plugin_id), 'STATE' => 'missing' ) ); diff --git a/admin/plugins_new.php b/admin/plugins_new.php index 8ee9d26ed..a9b15c06b 100644 --- a/admin/plugins_new.php +++ b/admin/plugins_new.php @@ -38,6 +38,8 @@ $plugins = new plugins(); //------------------------------------------------------automatic installation if (isset($_GET['revision']) and isset($_GET['extension']) and !is_adviser()) { + check_pwg_token(); + $install_status = $plugins->extract_plugin_files('install', $_GET['revision'], $_GET['extension']); redirect($base_url.'&installstatus='.$install_status); @@ -110,7 +112,9 @@ if ($plugins->get_server_plugins(true)) $url_auto_install = htmlentities($base_url) . '&revision=' . $plugin['revision_id'] - . '&extension=' . $plugin['extension_id']; + . '&extension=' . $plugin['extension_id'] + . '&pwg_token='.get_pwg_token() + ; $template->append('plugins', array( 'EXT_NAME' => $plugin['extension_name'], diff --git a/admin/plugins_update.php b/admin/plugins_update.php index 4566d8fd9..af8e527cb 100644 --- a/admin/plugins_update.php +++ b/admin/plugins_update.php @@ -37,6 +37,8 @@ $plugins = new plugins(); //-----------------------------------------------------------automatic upgrade if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser()) { + check_pwg_token(); + $plugin_id = $_GET['plugin']; $revision = $_GET['revision']; @@ -48,6 +50,7 @@ if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser()) redirect($base_url . '&revision=' . $revision . '&plugin=' . $plugin_id + . '&pwg_token='.get_pwg_token() . '&reactivate=true'); } @@ -133,7 +136,9 @@ if ($plugins->get_server_plugins()) // Plugin need upgrade $url_auto_update = $base_url . '&revision=' . $plugin_info['revision_id'] - . '&plugin=' . $plugin_id; + . '&plugin=' . $plugin_id + . '&pwg_token='.get_pwg_token() + ; $template->append('plugins_not_uptodate', array( 'EXT_NAME' => $fs_plugin['name'], diff --git a/admin/site_manager.php b/admin/site_manager.php index ee25bd826..595605f59 100644 --- a/admin/site_manager.php +++ b/admin/site_manager.php @@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +if (!empty($_POST) or isset($_GET['action'])) +{ + check_pwg_token(); +} + /** * requests the given $url (a remote create_listing_file.php) and fills a * list of lines corresponding to request output @@ -198,11 +203,13 @@ SELECT galleries_url } } -$template->assign( array( - 'U_HELP' => get_root_url().'popuphelp.php?page=site_manager', - 'F_ACTION' => get_root_url().'admin.php' - .get_query_string_diff( array('action','site') ) - ) ); +$template->assign( + array( + 'U_HELP' => get_root_url().'popuphelp.php?page=site_manager', + 'F_ACTION' => get_root_url().'admin.php'.get_query_string_diff(array('action','site','pwg_token')), + 'PWG_TOKEN' => get_pwg_token(), + ) + ); // +-----------------------------------------------------------------------+ // | remote sites list | @@ -242,6 +249,7 @@ while ($row = pwg_db_fetch_assoc($result)) $base_url = PHPWG_ROOT_PATH.'admin.php'; $base_url.= '?page=site_manager'; $base_url.= '&site='.$row['id']; + $base_url.= '&pwg_token='.get_pwg_token(); $base_url.= '&action='; $update_url = PHPWG_ROOT_PATH.'admin.php'; diff --git a/admin/tags.php b/admin/tags.php index 24368bcfb..caade0058 100644 --- a/admin/tags.php +++ b/admin/tags.php @@ -29,6 +29,11 @@ if( !defined("PHPWG_ROOT_PATH") ) include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); check_status(ACCESS_ADMINISTRATOR); +if (!empty($_POST)) +{ + check_pwg_token(); +} + // +-----------------------------------------------------------------------+ // | edit tags | // +-----------------------------------------------------------------------+ @@ -189,7 +194,8 @@ $template->set_filenames(array('tags' => 'tags.tpl')); $template->assign( array( - 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags' + 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags', + 'PWG_TOKEN' => get_pwg_token(), ) ); diff --git a/admin/themes/default/template/cat_list.tpl b/admin/themes/default/template/cat_list.tpl index 431845d2a..e80558c9e 100644 --- a/admin/themes/default/template/cat_list.tpl +++ b/admin/themes/default/template/cat_list.tpl @@ -26,6 +26,7 @@ <h3>{$CATEGORIES_NAV}</h3> <form id="addVirtual" action="{$F_ACTION}" method="post"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" /> <p> {'Add a virtual category'|@translate} : <input type="text" name="virtual_name"> <input class="submit" type="submit" value="{'Submit'|@translate}" name="submitAdd" {$TAG_INPUT_ENABLED}> @@ -38,6 +39,7 @@ {if count($categories) } <form id="categoryOrdering" action="{$F_ACTION}" method="post"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" /> <p> <input class="submit" name="submitOrder" type="submit" value="{'Save order'|@translate}" {$TAG_INPUT_ENABLED}> <input class="submit" name="submitOrderAlphaNum" type="submit" value="{'Order alphanumerically'|@translate}" {$TAG_INPUT_ENABLED}> diff --git a/admin/themes/default/template/group_list.tpl b/admin/themes/default/template/group_list.tpl index 6b32da66b..ab74985a4 100644 --- a/admin/themes/default/template/group_list.tpl +++ b/admin/themes/default/template/group_list.tpl @@ -3,6 +3,7 @@ </div> <form method="post" name="add_user" action="{$F_ADD_ACTION}" class="properties"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" /> <fieldset> <legend>{'Add group'|@translate}</legend> diff --git a/admin/themes/default/template/site_manager.tpl b/admin/themes/default/template/site_manager.tpl index 91d888ac0..6dce1fec0 100644 --- a/admin/themes/default/template/site_manager.tpl +++ b/admin/themes/default/template/site_manager.tpl @@ -16,6 +16,7 @@ {'A local listing.xml file has been found for '|@translate} {$local_listing.URL} {if isset($local_listing.CREATE)} <form action="{$F_ACTION}" method="post"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" /> <p> {'Create this site'|@translate}: <input type="hidden" name="no_check" value="1"> @@ -63,6 +64,7 @@ {/if} <form action="{$F_ACTION}" method="post"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" /> <p> <label for="galleries_url" >{'Create a new site : (give its URL to create_listing_file.php)'|@translate}</label> <input type="text" name="galleries_url" id="galleries_url"> diff --git a/admin/themes/default/template/tags.tpl b/admin/themes/default/template/tags.tpl index 3db8417a6..4d7031897 100644 --- a/admin/themes/default/template/tags.tpl +++ b/admin/themes/default/template/tags.tpl @@ -3,6 +3,7 @@ </div> <form action="{$F_ACTION}" method="post"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" /> {if isset($EDIT_TAGS_LIST)} <fieldset> |