From 5b07a9bfd268c6516a24b8d657c80b77a9f5526a Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 12 Feb 2013 10:11:30 +0000 Subject: bug 2844: improve security on LocalFiles Editor, add pwg_token to avoid CSRF git-svn-id: http://piwigo.org/svn/branches/2.4@20713 68402e56-0260-453c-a942-63ccdbb3a9ee --- plugins/LocalFilesEditor/admin.php | 3 +++ plugins/LocalFilesEditor/template/admin.tpl | 1 + 2 files changed, 4 insertions(+) diff --git a/plugins/LocalFilesEditor/admin.php b/plugins/LocalFilesEditor/admin.php index 136e601e7..302bd1223 100644 --- a/plugins/LocalFilesEditor/admin.php +++ b/plugins/LocalFilesEditor/admin.php @@ -66,6 +66,8 @@ if (isset($_POST['restore'])) // +-----------------------------------------------------------------------+ if (isset($_POST['submit'])) { + check_pwg_token(); + if (!is_webmaster()) { array_push($page['errors'], l10n('locfiledit_webmaster_only')); @@ -140,6 +142,7 @@ if (!empty($edited_file)) $template->assign(array( 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'], 'LOCALEDIT_PATH' => LOCALEDIT_PATH, + 'PWG_TOKEN' => get_pwg_token(), 'CODEMIRROR_MODE' => @$codemirror_mode ) ); diff --git a/plugins/LocalFilesEditor/template/admin.tpl b/plugins/LocalFilesEditor/template/admin.tpl index 23a5d1975..d79d00028 100644 --- a/plugins/LocalFilesEditor/template/admin.tpl +++ b/plugins/LocalFilesEditor/template/admin.tpl @@ -27,6 +27,7 @@ if (document.getElementById("text") != null)
+
-- cgit v1.2.3