adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

bug 2844: improve security on LocalFiles Editor, add pwg_token to avoid CSRF

Browse Source 
git-svn-id: http://piwigo.org/svn/branches/2.4@20713 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall
2013-02-12 10:11:30 +00:00
parent ff5b60a215
commit 5b07a9bfd2
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/LocalFilesEditor/admin.php
+3
View File
@@ -66,6 +66,8 @@ if (isset($_POST['restore']))
// +-----------------------------------------------------------------------+
if (isset($_POST['submit']))
{
check_pwg_token();
if (!is_webmaster())
{
array_push($page['errors'], l10n('locfiledit_webmaster_only'));
@@ -140,6 +142,7 @@ if (!empty($edited_file))
$template->assign(array(
'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'],
'LOCALEDIT_PATH' => LOCALEDIT_PATH,
'PWG_TOKEN' => get_pwg_token(),
'CODEMIRROR_MODE' => @$codemirror_mode
)
);
plugins/LocalFilesEditor/template/admin.tpl
+1
View File
@@ -27,6 +27,7 @@ if (document.getElementById("text") != null)
</div>
<form method="post" class="properties" action="{$F_ACTION}" ENCTYPE="multipart/form-data" name="form">
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
<div id="LocalFilesEditor">