gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-20 16:41:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add csrf protection

Browse Source
This commit is contained in:
Uwe Steinmann 2021-01-25 09:08:12 +01:00
parent 0638dab4f8
commit ef20172f57
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
op/op.Settings.php
View File

@ -44,6 +44,11 @@ if (!$user->isAdmin()) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
} }
/* Check if the form data comes from a trusted request */
if(!checkFormKey('savesettings')) {
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
}
if (isset($_POST["action"])) $action=$_POST["action"]; if (isset($_POST["action"])) $action=$_POST["action"];
else if (isset($_GET["action"])) $action=$_GET["action"]; else if (isset($_GET["action"])) $action=$_GET["action"];
else $action=NULL; else $action=NULL;

1
views/bootstrap/class.Settings.php
View File

@ -254,6 +254,7 @@ class SeedDMS_View_Settings extends SeedDMS_Bootstrap_Style {
?> ?>
<form action="../op/op.Settings.php" method="post" enctype="multipart/form-data" name="form0" > <form action="../op/op.Settings.php" method="post" enctype="multipart/form-data" name="form0" >
<?php echo createHiddenFieldWithKey('savesettings'); ?>
<input type="hidden" name="action" value="saveSettings" /> <input type="hidden" name="action" value="saveSettings" />
<input type="hidden" id="currenttab" name="currenttab" value="<?php echo $currenttab ? $currenttab : 'site'; ?>" /> <input type="hidden" id="currenttab" name="currenttab" value="<?php echo $currenttab ? $currenttab : 'site'; ?>" />
<?php <?php