diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2019-06-30 22:40:34 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2019-08-24 22:23:38 +0200 |
| commit | 56477a8f7c1421ecc01f15258f0739ce8438db32 (patch) | |
| tree | 2361500844ecae27a61ce2b9e481fd79c6c059db /phpBB | |
| parent | 525c940385ef8efb57fb812a8317833d7790e30a (diff) | |
| download | forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar.gz forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar.bz2 forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar.xz forums-56477a8f7c1421ecc01f15258f0739ce8438db32.zip | |
[ticket/security/244] Add form token check to plupload
SECURTIY-244
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/assets/javascript/plupload.js | 17 | ||||
| -rw-r--r-- | phpBB/includes/message_parser.php | 29 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_pm_compose.php | 7 | ||||
| -rw-r--r-- | phpBB/styles/prosilver/template/plupload.html | 1 |
4 files changed, 52 insertions, 2 deletions
diff --git a/phpBB/assets/javascript/plupload.js b/phpBB/assets/javascript/plupload.js index fab1ca6d7c..5e8db8b035 100644 --- a/phpBB/assets/javascript/plupload.js +++ b/phpBB/assets/javascript/plupload.js @@ -90,6 +90,12 @@ phpbb.plupload.getSerializedData = function() { obj['attachment_data[' + i + '][' + key + ']'] = datum[key]; } } + + // Insert form data + var $pluploadForm = $(phpbb.plupload.config.form_hook).first(); + obj.creation_time = $pluploadForm.find('input[type=hidden][name="creation_time"]').val(); + obj.form_token = $pluploadForm.find('input[type=hidden][name="form_token"]').val(); + return obj; }; @@ -264,6 +270,17 @@ phpbb.plupload.deleteFile = function(row, attachId) { return; } + + // Handle errors while deleting file + if (typeof response.error !== 'undefined') { + phpbb.alert(phpbb.plupload.lang.ERROR, response.error.message); + + // We will have to assume that the deletion failed. So leave the file status as uploaded. + row.find('.file-status').toggleClass('file-uploaded'); + + return; + } + phpbb.plupload.update(response, 'removal', index); // Check if the user can upload files now if he had reached the max files limit. phpbb.plupload.handleMaxFilesReached(); diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index 0b79cca864..e1c28223dc 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -1525,6 +1525,35 @@ class parse_message extends bbcode_firstpass } /** + * Check attachment form token depending on submit type + * + * @param \phpbb\language\language $language Language + * @param \phpbb\request\request_interface $request Request + * @param string $form_name Form name for checking form key + * + * @return bool True if form token is not needed or valid, false if needed and invalid + */ + function check_attachment_form_token(\phpbb\language\language $language, \phpbb\request\request_interface $request, $form_name) + { + $add_file = $request->is_set_post('add_file'); + $delete_file = $request->is_set_post('delete_file'); + + if (($add_file || $delete_file) && !check_form_key($form_name)) + { + $this->warn_msg[] = $language->lang('FORM_INVALID'); + + if ($request->is_ajax() && $this->plupload) + { + $this->plupload->emit_error(-400, 'FORM_INVALID'); + } + + return false; + } + + return true; + } + + /** * Parse Attachments */ function parse_attachments($form_name, $mode, $forum_id, $submit, $preview, $refresh, $is_message = false) diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index cb45112b01..06baa279a5 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -26,7 +26,7 @@ if (!defined('IN_PHPBB')) function compose_pm($id, $mode, $action, $user_folders = array()) { global $template, $db, $auth, $user, $cache; - global $phpbb_root_path, $phpEx, $config; + global $phpbb_root_path, $phpEx, $config, $language; global $request, $phpbb_dispatcher, $phpbb_container; // Damn php and globals - i know, this is horrible @@ -799,7 +799,10 @@ function compose_pm($id, $mode, $action, $user_folders = array()) extract($phpbb_dispatcher->trigger_event('core.ucp_pm_compose_modify_parse_before', compact($vars))); // Parse Attachments - before checksum is calculated - $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true); + if ($message_parser->check_attachment_form_token($language, $request, 'ucp_pm_compose')) + { + $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true); + } if (count($message_parser->warn_msg) && !($remove_u || $remove_g || $add_to || $add_bcc)) { diff --git a/phpBB/styles/prosilver/template/plupload.html b/phpBB/styles/prosilver/template/plupload.html index 1eb84372e8..593070321d 100644 --- a/phpBB/styles/prosilver/template/plupload.html +++ b/phpBB/styles/prosilver/template/plupload.html @@ -57,6 +57,7 @@ phpbb.plupload = { lang: { ERROR: '{LA_ERROR}', TOO_MANY_ATTACHMENTS: '{LA_TOO_MANY_ATTACHMENTS}', + FORM_INVALID: '{LA_FORM_INVALID}', }, order: '{ATTACH_ORDER}', maxFiles: {MAX_ATTACHMENTS}, |