diff --git a/phpBB/adm/style/acp_ext_delete_data.html b/phpBB/adm/style/acp_ext_delete_data.html index bbac22055f..5b38d9b8d0 100644 --- a/phpBB/adm/style/acp_ext_delete_data.html +++ b/phpBB/adm/style/acp_ext_delete_data.html @@ -21,7 +21,7 @@
{L_EXTENSION_DELETE_DATA} - +
diff --git a/phpBB/includes/acp/acp_extensions.php b/phpBB/includes/acp/acp_extensions.php index c5c17cb559..c21c9f4e9d 100644 --- a/phpBB/includes/acp/acp_extensions.php +++ b/phpBB/includes/acp/acp_extensions.php @@ -55,6 +55,11 @@ class acp_extensions $ext_name = ''; } + if (in_array($action, array('enable', 'disable', 'delete_data')) && !check_link_hash($request->variable('hash', ''), $action . '.' . $ext_name)) + { + trigger_error('FORM_INVALID', E_USER_WARNING); + } + // If they've specified an extension, let's load the metadata manager and validate it. if ($ext_name) { @@ -98,7 +103,7 @@ class acp_extensions $template->assign_vars(array( 'PRE' => true, 'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_ENABLE_CONFIRM', $md_manager->get_metadata('display-name')), - 'U_ENABLE' => $this->u_action . '&action=enable&ext_name=' . urlencode($ext_name), + 'U_ENABLE' => $this->u_action . '&action=enable&ext_name=' . urlencode($ext_name) . '&hash=' . generate_link_hash('enable.' . $ext_name), )); break; @@ -117,7 +122,7 @@ class acp_extensions { $template->assign_var('S_NEXT_STEP', true); - meta_refresh(0, $this->u_action . '&action=enable&ext_name=' . urlencode($ext_name)); + meta_refresh(0, $this->u_action . '&action=enable&ext_name=' . urlencode($ext_name) . '&hash=' . generate_link_hash('enable.' . $ext_name)); } } } @@ -144,7 +149,7 @@ class acp_extensions $template->assign_vars(array( 'PRE' => true, 'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_DISABLE_CONFIRM', $md_manager->get_metadata('display-name')), - 'U_DISABLE' => $this->u_action . '&action=disable&ext_name=' . urlencode($ext_name), + 'U_DISABLE' => $this->u_action . '&action=disable&ext_name=' . urlencode($ext_name) . '&hash=' . generate_link_hash('disable.' . $ext_name), )); break; @@ -156,7 +161,7 @@ class acp_extensions { $template->assign_var('S_NEXT_STEP', true); - meta_refresh(0, $this->u_action . '&action=disable&ext_name=' . urlencode($ext_name)); + meta_refresh(0, $this->u_action . '&action=disable&ext_name=' . urlencode($ext_name) . '&hash=' . generate_link_hash('disable.' . $ext_name)); } } @@ -177,7 +182,7 @@ class acp_extensions $template->assign_vars(array( 'PRE' => true, 'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_DELETE_DATA_CONFIRM', $md_manager->get_metadata('display-name')), - 'U_PURGE' => $this->u_action . '&action=delete_data&ext_name=' . urlencode($ext_name), + 'U_PURGE' => $this->u_action . '&action=delete_data&ext_name=' . urlencode($ext_name) . '&hash=' . generate_link_hash('delete_data.' . $ext_name), )); break; @@ -191,7 +196,7 @@ class acp_extensions { $template->assign_var('S_NEXT_STEP', true); - meta_refresh(0, $this->u_action . '&action=delete_data&ext_name=' . urlencode($ext_name)); + meta_refresh(0, $this->u_action . '&action=delete_data&ext_name=' . urlencode($ext_name) . '&hash=' . generate_link_hash('delete_data.' . $ext_name)); } } } diff --git a/tests/functional/extension_acp_test.php b/tests/functional/extension_acp_test.php index 44bb895f67..5d391e42f7 100644 --- a/tests/functional/extension_acp_test.php +++ b/tests/functional/extension_acp_test.php @@ -182,13 +182,34 @@ class phpbb_functional_extension_acp_test extends phpbb_functional_test_case public function test_actions() { + // Access enable page without hash $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=enable&ext_name=vendor%2Fmoo&sid=' . $this->sid); + $this->assertContainsLang('FORM_INVALID', $crawler->filter('.errorbox')->text()); + + // Correctly submit the enable form + $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=enable_pre&ext_name=vendor%2Fmoo&sid=' . $this->sid); + $form = $crawler->selectButton('enable')->form(); + $crawler = self::submit($form); $this->assertContainsLang('EXTENSION_ENABLE_SUCCESS', $crawler->filter('.successbox')->text()); + // Access disable page without hash $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=disable&ext_name=vendor%2Fmoo&sid=' . $this->sid); + $this->assertContainsLang('FORM_INVALID', $crawler->filter('.errorbox')->text()); + + // Correctly submit the disable form + $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=disable_pre&ext_name=vendor%2Fmoo&sid=' . $this->sid); + $form = $crawler->selectButton('disable')->form(); + $crawler = self::submit($form); $this->assertContainsLang('EXTENSION_DISABLE_SUCCESS', $crawler->filter('.successbox')->text()); + // Access delete_data page without hash $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=delete_data&ext_name=vendor%2Fmoo&sid=' . $this->sid); + $this->assertContainsLang('FORM_INVALID', $crawler->filter('.errorbox')->text()); + + // Correctly submit the delete data form + $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=delete_data_pre&ext_name=vendor%2Fmoo&sid=' . $this->sid); + $form = $crawler->selectButton('delete_data')->form(); + $crawler = self::submit($form); $this->assertContainsLang('EXTENSION_DELETE_DATA_SUCCESS', $crawler->filter('.successbox')->text()); } }