diff options
| author | Tristan Darricau <github@nicofuma.fr> | 2016-09-18 21:14:47 +0200 |
|---|---|---|
| committer | Tristan Darricau <github@nicofuma.fr> | 2016-09-18 21:14:47 +0200 |
| commit | 19bbbfe0f3e9898f2ee8d8d392ecf2584dafce86 (patch) | |
| tree | c6ee9901bdf6f8bd405d3bcd563a9cab8d8a7392 | |
| parent | 47d2f34a1b9008332bcd27d5e855f1fc05ff1ab2 (diff) | |
| parent | bc08813866a4496b88777a5d152f601ac521fef1 (diff) | |
| download | forums-19bbbfe0f3e9898f2ee8d8d392ecf2584dafce86.tar forums-19bbbfe0f3e9898f2ee8d8d392ecf2584dafce86.tar.gz forums-19bbbfe0f3e9898f2ee8d8d392ecf2584dafce86.tar.bz2 forums-19bbbfe0f3e9898f2ee8d8d392ecf2584dafce86.tar.xz forums-19bbbfe0f3e9898f2ee8d8d392ecf2584dafce86.zip | |
Merge branch '3.1.x' into 3.2.x
* 3.1.x:
[ticket/14789] Add form tokens to tests and uncomment add_form_key
[ticket/14789] Add link hashes and form tokens to all acp links/buttons
| -rw-r--r-- | phpBB/includes/acp/acp_database.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_icons.php | 18 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_language.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_modules.php | 30 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_permission_roles.php | 9 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_profile.php | 29 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_reasons.php | 9 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_search.php | 16 | ||||
| -rw-r--r-- | tests/functional/search/base.php | 8 |
9 files changed, 118 insertions, 16 deletions
diff --git a/phpBB/includes/acp/acp_database.php b/phpBB/includes/acp/acp_database.php index c9d24f9254..982310fb05 100644 --- a/phpBB/includes/acp/acp_database.php +++ b/phpBB/includes/acp/acp_database.php @@ -38,6 +38,14 @@ class acp_database $action = $request->variable('action', ''); + $form_key = 'acp_database'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $template->assign_vars(array( 'MODE' => $mode )); diff --git a/phpBB/includes/acp/acp_icons.php b/phpBB/includes/acp/acp_icons.php index 0293dca9d3..bea8da221c 100644 --- a/phpBB/includes/acp/acp_icons.php +++ b/phpBB/includes/acp/acp_icons.php @@ -40,6 +40,15 @@ class acp_icons $action = (isset($_POST['edit'])) ? 'edit' : $action; $action = (isset($_POST['import'])) ? 'import' : $action; $icon_id = $request->variable('id', 0); + $submit = $request->is_set_post('submit', false); + + $form_key = 'acp_icons'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } $mode = ($mode == 'smilies') ? 'smilies' : 'icons'; @@ -822,6 +831,11 @@ class acp_icons case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_icons')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + // Get current order id... $sql = "SELECT {$fields}_order as current_order FROM $table @@ -941,8 +955,8 @@ class acp_icons 'EMOTION' => (isset($row['emotion'])) ? $row['emotion'] : '', 'U_EDIT' => $this->u_action . '&action=edit&id=' . $row[$fields . '_id'], 'U_DELETE' => $this->u_action . '&action=delete&id=' . $row[$fields . '_id'], - 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start, - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start, + 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start . '&hash=' . generate_link_hash('acp_icons'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start . '&hash=' . generate_link_hash('acp_icons'), )); if (!$spacer && !$row['display_on_posting']) diff --git a/phpBB/includes/acp/acp_language.php b/phpBB/includes/acp/acp_language.php index 03172e475a..4baff921b6 100644 --- a/phpBB/includes/acp/acp_language.php +++ b/phpBB/includes/acp/acp_language.php @@ -244,6 +244,11 @@ class acp_language break; case 'install': + if (!check_link_hash($request->variable('hash', ''), 'acp_language')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $lang_iso = $request->variable('iso', ''); $lang_iso = basename($lang_iso); @@ -405,7 +410,7 @@ class acp_language 'ISO' => htmlspecialchars($lang_ary['iso']), 'LOCAL_NAME' => htmlspecialchars($lang_ary['local_name'], ENT_COMPAT, 'UTF-8'), 'NAME' => htmlspecialchars($lang_ary['name'], ENT_COMPAT, 'UTF-8'), - 'U_INSTALL' => $this->u_action . '&action=install&iso=' . urlencode($lang_ary['iso'])) + 'U_INSTALL' => $this->u_action . '&action=install&iso=' . urlencode($lang_ary['iso']) . '&hash=' . generate_link_hash('acp_language')) ); } } diff --git a/phpBB/includes/acp/acp_modules.php b/phpBB/includes/acp/acp_modules.php index d3ecffe81e..4d90b2da8b 100644 --- a/phpBB/includes/acp/acp_modules.php +++ b/phpBB/includes/acp/acp_modules.php @@ -50,6 +50,9 @@ class acp_modules $user->add_lang('acp/modules'); $this->tpl_name = 'acp_modules'; + $form_key = 'acp_modules'; + add_form_key($form_key); + // module class $this->module_class = $mode; @@ -130,6 +133,11 @@ class acp_modules trigger_error($user->lang['NO_MODULE_ID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); } + if (!check_link_hash($request->variable('hash', ''), 'acp_modules')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); + } + $sql = 'SELECT * FROM ' . MODULES_TABLE . " WHERE module_class = '" . $db->sql_escape($this->module_class) . "' @@ -161,6 +169,11 @@ class acp_modules trigger_error($user->lang['NO_MODULE_ID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); } + if (!check_link_hash($request->variable('hash', ''), 'acp_modules')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); + } + $sql = 'SELECT * FROM ' . MODULES_TABLE . " WHERE module_class = '" . $db->sql_escape($this->module_class) . "' @@ -305,6 +318,11 @@ class acp_modules if ($submit) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); + } + if (!$module_data['module_langname']) { trigger_error($user->lang['NO_MODULE_LANGNAME'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); @@ -506,12 +524,12 @@ class acp_modules 'S_ACP_MODULE_MANAGEMENT' => ($this->module_class == 'acp' && ($row['module_basename'] == 'modules' || $row['module_langname'] == 'ACP_MODULE_MANAGEMENT')) ? true : false, 'U_MODULE' => $this->u_action . '&parent_id=' . $row['module_id'], - 'U_MOVE_UP' => $url . '&action=move_up', - 'U_MOVE_DOWN' => $url . '&action=move_down', + 'U_MOVE_UP' => $url . '&action=move_up&hash=' . generate_link_hash('acp_modules'), + 'U_MOVE_DOWN' => $url . '&action=move_down&hash=' . generate_link_hash('acp_modules'), 'U_EDIT' => $url . '&action=edit', 'U_DELETE' => $url . '&action=delete', - 'U_ENABLE' => $url . '&action=enable', - 'U_DISABLE' => $url . '&action=disable') + 'U_ENABLE' => $url . '&action=enable&hash=' . generate_link_hash('acp_modules'), + 'U_DISABLE' => $url . '&action=disable&hash=' . generate_link_hash('acp_modules')) ); } while ($row = $db->sql_fetchrow($result)); @@ -538,8 +556,8 @@ class acp_modules 'U_EDIT' => $url . '&action=edit', 'U_DELETE' => $url . '&action=delete', - 'U_ENABLE' => $url . '&action=enable', - 'U_DISABLE' => $url . '&action=disable') + 'U_ENABLE' => $url . '&action=enable&hash=' . generate_link_hash('acp_modules'), + 'U_DISABLE' => $url . '&action=disable&hash=' . generate_link_hash('acp_modules')) ); } $db->sql_freeresult($result); diff --git a/phpBB/includes/acp/acp_permission_roles.php b/phpBB/includes/acp/acp_permission_roles.php index 93aca295d7..0bfe67830f 100644 --- a/phpBB/includes/acp/acp_permission_roles.php +++ b/phpBB/includes/acp/acp_permission_roles.php @@ -367,6 +367,11 @@ class acp_permission_roles case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_permission_roles')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT role_order FROM ' . ACL_ROLES_TABLE . " WHERE role_id = $role_id"; @@ -441,8 +446,8 @@ class acp_permission_roles 'U_EDIT' => $this->u_action . '&action=edit&role_id=' . $row['role_id'], 'U_REMOVE' => $this->u_action . '&action=remove&role_id=' . $row['role_id'], - 'U_MOVE_UP' => $this->u_action . '&action=move_up&role_id=' . $row['role_id'], - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&role_id=' . $row['role_id'], + 'U_MOVE_UP' => $this->u_action . '&action=move_up&role_id=' . $row['role_id'] . '&hash=' . generate_link_hash('acp_permission_roles'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&role_id=' . $row['role_id'] . '&hash=' . generate_link_hash('acp_permission_roles'), 'U_DISPLAY_ITEMS' => ($row['role_id'] == $display_item) ? '' : $this->u_action . '&display_item=' . $row['role_id'] . '#assigned_to') ); diff --git a/phpBB/includes/acp/acp_profile.php b/phpBB/includes/acp/acp_profile.php index 69672ebec0..c4888cfc7c 100644 --- a/phpBB/includes/acp/acp_profile.php +++ b/phpBB/includes/acp/acp_profile.php @@ -56,6 +56,9 @@ class acp_profile $error = array(); + $form_key = 'acp_profile'; + add_form_key($form_key); + if (!$field_id && in_array($action, array('delete','activate', 'deactivate', 'move_up', 'move_down', 'edit'))) { trigger_error($user->lang['NO_FIELD_ID'] . adm_back_link($this->u_action), E_USER_WARNING); @@ -166,6 +169,11 @@ class acp_profile case 'activate': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT lang_id FROM ' . LANG_TABLE . " WHERE lang_iso = '" . $db->sql_escape($config['default_lang']) . "'"; @@ -206,6 +214,11 @@ class acp_profile case 'deactivate': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'UPDATE ' . PROFILE_FIELDS_TABLE . " SET field_active = 0 WHERE field_id = $field_id"; @@ -235,6 +248,11 @@ class acp_profile case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT field_order FROM ' . PROFILE_FIELDS_TABLE . " WHERE field_id = $field_id"; @@ -584,6 +602,11 @@ class acp_profile if (!sizeof($error)) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + if (($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) || ($action == 'edit' && $save)) { $this->save_profile_field($cp, $field_type, $action); @@ -740,12 +763,12 @@ class acp_profile 'FIELD_TYPE' => $profile_field->get_name(), 'L_ACTIVATE_DEACTIVATE' => $user->lang[$active_lang], - 'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id", + 'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), 'U_EDIT' => $this->u_action . "&action=edit&field_id=$id", 'U_TRANSLATE' => $this->u_action . "&action=edit&field_id=$id&step=3", 'U_DELETE' => $this->u_action . "&action=delete&field_id=$id", - 'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id", - 'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id", + 'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), + 'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), 'S_NEED_EDIT' => $s_need_edit) ); diff --git a/phpBB/includes/acp/acp_reasons.php b/phpBB/includes/acp/acp_reasons.php index 0d221bba3c..b9b313c9db 100644 --- a/phpBB/includes/acp/acp_reasons.php +++ b/phpBB/includes/acp/acp_reasons.php @@ -281,6 +281,11 @@ class acp_reasons case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_reasons')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT reason_order FROM ' . REPORTS_REASONS_TABLE . " WHERE reason_id = $reason_id"; @@ -382,8 +387,8 @@ class acp_reasons 'U_EDIT' => $this->u_action . '&action=edit&id=' . $row['reason_id'], 'U_DELETE' => (!$other_reason) ? $this->u_action . '&action=delete&id=' . $row['reason_id'] : '', - 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'], - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id']) + 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons')) ); } $db->sql_freeresult($result); diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 1f0e8ef539..9a72162c29 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -54,6 +54,13 @@ class acp_search global $config, $phpbb_admin_path, $phpEx; $submit = (isset($_POST['submit'])) ? true : false; + $form_key = 'acp_search'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } $search_types = $this->get_search_types(); @@ -244,6 +251,15 @@ class acp_search $this->state = array(); $this->save_state(); } + $submit = $request->is_set_post('submit', false); + + $form_key = 'acp_search'; + add_form_key($form_key); + + if (!check_form_key($form_key) && in_array($action, array('delete', 'create'))) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } if ($action) { diff --git a/tests/functional/search/base.php b/tests/functional/search/base.php index a3cac381d2..f77ef70ecc 100644 --- a/tests/functional/search/base.php +++ b/tests/functional/search/base.php @@ -78,6 +78,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case protected function create_search_index($backend = null) { $this->add_lang('acp/search'); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); + $form_values = $crawler->selectButton('Delete index')->form()->getValues(); $crawler = self::request( 'POST', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid, @@ -85,6 +87,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case 'search_type' => ( ($backend === null) ? $this->search_backend : $backend ), 'action' => 'create', 'submit' => true, + 'form_token' => $form_values['form_token'], + 'creation_time' => $form_values['creation_time'], ) ); $this->assertContainsLang('SEARCH_INDEX_CREATED', $crawler->text()); @@ -93,6 +97,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case protected function delete_search_index() { $this->add_lang('acp/search'); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); + $form_values = $crawler->selectButton('Delete index')->form()->getValues(); $crawler = self::request( 'POST', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid, @@ -100,6 +106,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case 'search_type' => $this->search_backend, 'action' => 'delete', 'submit' => true, + 'form_token' => $form_values['form_token'], + 'creation_time' => $form_values['creation_time'], ) ); $this->assertContainsLang('SEARCH_INDEX_REMOVED', $crawler->text()); |