makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'remotes/nickv/ticket/11310' into develop

Browse source 
# By Joas Schilling
# Via Joas Schilling
* remotes/nickv/ticket/11310:
  [ticket/11310] Add hashes to action links to prevent CSRF attacks
This commit is contained in:
Nathan Guse 2013-03-12 11:41:21 -05:00
commit 04aceaecb6
1 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
phpBB/includes/acp/acp_styles.php
View file

@ -68,13 +68,20 @@ class acp_styles
$action = $this->request->variable('action', '');
$post_actions = array('install', 'activate', 'deactivate', 'uninstall');
if ($action && in_array($action, $post_actions) && !check_link_hash($request->variable('hash', ''), $action))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
foreach ($post_actions as $key)
{
if (isset($_POST[$key]))
if ($this->request->is_set_post($key))
{
$action = $key;
}
}
if ($action != '')
{
$this->s_hidden_fields['action'] = $action;
@ -921,21 +928,23 @@ class acp_styles
'L_ACTION' => $this->user->lang['DETAILS']
);
// Activate
// Activate/Deactive
$action_name = ($style['style_active'] ? 'de' : '') . 'activate';
$actions[] = array(
'U_ACTION' => $this->u_action . '&action=' . ($style['style_active'] ? 'de' : '') . 'activate&id=' . $style['style_id'],
'U_ACTION' => $this->u_action . '&action=' . $action_name . '&hash=' . generate_link_hash($action_name) . '&id=' . $style['style_id'],
'L_ACTION' => $this->user->lang['STYLE_' . ($style['style_active'] ? 'DE' : '') . 'ACTIVATE']
);
/* // Export
$actions[] = array(
'U_ACTION' => $this->u_action . '&action=export&id=' . $style['style_id'],
'U_ACTION' => $this->u_action . '&action=export&hash=' . generate_link_hash('export') . '&id=' . $style['style_id'],
'L_ACTION' => $this->user->lang['EXPORT']
); */
// Uninstall
$actions[] = array(
'U_ACTION' => $this->u_action . '&action=uninstall&id=' . $style['style_id'],
'U_ACTION' => $this->u_action . '&action=uninstall&hash=' . generate_link_hash('uninstall') . '&id=' . $style['style_id'],
'L_ACTION' => $this->user->lang['STYLE_UNINSTALL']
);
@ -957,7 +966,7 @@ class acp_styles
else
{
$actions[] = array(
'U_ACTION' => $this->u_action . '&action=install&dir=' . urlencode($style['style_path']),
'U_ACTION' => $this->u_action . '&action=install&hash=' . generate_link_hash('install') . '&dir=' . urlencode($style['style_path']),
'L_ACTION' => $this->user->lang['INSTALL_STYLE']
);
}