adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixes #1058 prevent CSRF on notification by mail, with a pwg_token

Browse Source 
also added some checks to NBM parameters to avoid XSS (minor issue)
This commit is contained in:
plegall
2019-08-12 12:31:24 +02:00
parent fdcb6f50f6
commit 776f8fa186
2 changed files with 17 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin/notification_by_mail.php
+15 -14
View File
@@ -496,12 +496,24 @@ if (!isset($_POST) or (count($_POST) ==0))
// +-----------------------------------------------------------------------+
// | Treatment of tab post |
// +-----------------------------------------------------------------------+
if (!empty($_POST))
{
check_pwg_token();
}
switch ($page['mode'])
{
case 'param' :
{
if (isset($_POST['param_submit']))
{
$_POST['nbm_send_mail_as'] = strip_tags($_POST['nbm_send_mail_as']);
check_input_parameter('nbm_send_html_mail', $_POST, false, '/^(true|false)$/');
check_input_parameter('nbm_send_detailed_content', $_POST, false, '/^(true|false)$/');
check_input_parameter('nbm_send_recent_post_dates', $_POST, false, '/^(true|false)$/');
$updated_param_count = 0;
// Update param
$result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\'');
@@ -509,17 +521,8 @@ switch ($page['mode'])
{
if (isset($_POST[$nbm_user['param']]))
{
$value = $_POST[$nbm_user['param']];
$query = '
update
'.CONFIG_TABLE.'
set
value = \''. str_replace("\'", "''", $value).'\'
where
param = \''.$nbm_user['param'].'\';';
pwg_query($query);
$updated_param_count += 1;
conf_update_param($nbm_user['param'], $_POST[$nbm_user['param']], true);
$updated_param_count++;
}
}
@@ -527,9 +530,6 @@ where
'%d parameter was updated.', '%d parameters were updated.',
$updated_param_count
);
// Reload conf with new values
load_conf_from_db('param like \'nbm\\_%\'');
}
}
case 'subscribe' :
@@ -574,6 +574,7 @@ $template->assign
(
array
(
'PWG_TOKEN' => get_pwg_token(),
'U_HELP' => get_root_url().'admin/popuphelp.php?page=notification_by_mail',
'F_ACTION'=> $base_url.get_query_string_diff(array())
)
admin/themes/default/template/notification_by_mail.tpl
+2
View File
@@ -21,6 +21,8 @@ jQuery(document).ready(function(){
</div>
<form method="post" name="notification_by_mail" id="notification_by_mail" action="{$F_ACTION}">
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
{if isset($REPOST_SUBMIT_NAME)}
<fieldset>
<div class="infos">