diff options
Diffstat (limited to 'phpBB/includes/acp')
| -rw-r--r-- | phpBB/includes/acp/acp_attachments.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_ban.php | 9 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_bbcodes.php | 3 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_board.php | 9 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_bots.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_captcha.php | 11 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_disallow.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_email.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_forums.php | 9 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_groups.php | 11 | ||||
| -rwxr-xr-x | phpBB/includes/acp/acp_inactive.php | 11 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_jabber.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_language.php | 32 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_permission_roles.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_permissions.php | 17 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_ranks.php | 14 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_reasons.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_users.php | 83 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_words.php | 8 |
19 files changed, 254 insertions, 17 deletions
diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index ae4eb9bc1a..7f85542264 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -27,6 +27,14 @@ class acp_attachments $submit = (isset($_POST['submit'])) ? true : false; $action = request_var('action', ''); + $form_key = 'acp_attach'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + switch ($mode) { case 'attach': diff --git a/phpBB/includes/acp/acp_ban.php b/phpBB/includes/acp/acp_ban.php index f5669b2c04..5871710702 100644 --- a/phpBB/includes/acp/acp_ban.php +++ b/phpBB/includes/acp/acp_ban.php @@ -23,11 +23,18 @@ class acp_ban include($phpbb_root_path . 'includes/functions_user.' . $phpEx); $bansubmit = (isset($_POST['bansubmit'])) ? true : false; - $unbansubmit= (isset($_POST['unbansubmit'])) ? true : false; + $unbansubmit = (isset($_POST['unbansubmit'])) ? true : false; $current_time = time(); $user->add_lang(array('acp/ban', 'acp/users')); $this->tpl_name = 'acp_ban'; + $form_key = 'acp_ban'; + add_form_key($form_key); + + if(($bansubmit || $unbansubmit) && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } // Ban submitted? if ($bansubmit) diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php index 235028fc3c..1eaec67e89 100644 --- a/phpBB/includes/acp/acp_bbcodes.php +++ b/phpBB/includes/acp/acp_bbcodes.php @@ -28,6 +28,9 @@ class acp_bbcodes $this->tpl_name = 'acp_bbcodes'; $this->page_title = 'ACP_BBCODES'; + $form_key = 'acp_bbcodes'; + + add_form_key($form_key); // Set up mode-specific vars switch ($action) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 7cee81ffe2..a2d91e9196 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -27,6 +27,9 @@ class acp_board $action = request_var('action', ''); $submit = (isset($_POST['submit'])) ? true : false; + $form_key = 'acp_board'; + add_form_key($form_key); + /** * Validation types are: * string, int, bool, @@ -314,6 +317,8 @@ class acp_board 'chg_passforce' => array('lang' => 'FORCE_PASS_CHANGE', 'validate' => 'int', 'type' => 'text:3:3', 'explain' => true, 'append' => ' ' . $user->lang['DAYS']), 'max_login_attempts' => array('lang' => 'MAX_LOGIN_ATTEMPTS', 'validate' => 'int', 'type' => 'text:3:3', 'explain' => true), 'tpl_allow_php' => array('lang' => 'TPL_ALLOW_PHP', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), + 'form_token_lifetime' => array('lang' => 'FORM_TIME_MAX', 'validate' => 'int', 'type' => 'text:5:5', 'explain' => true, 'append' => ' ' . $user->lang['SECONDS']), + 'form_token_mintime' => array('lang' => 'FORM_TIME_MIN', 'validate' => 'int', 'type' => 'text:5:5', 'explain' => true, 'append' => ' ' . $user->lang['SECONDS']), ) ); break; @@ -360,6 +365,10 @@ class acp_board // We validate the complete config if whished validate_config_vars($display_vars['vars'], $cfg_array, $error); + if ($submit && !check_form_key($form_key)) + { + $error[] = $user->lang['FORM_INVALID']; + } // Do not write values if there is an error if (sizeof($error)) { diff --git a/phpBB/includes/acp/acp_bots.php b/phpBB/includes/acp/acp_bots.php index 93108c7fec..50458718ba 100644 --- a/phpBB/includes/acp/acp_bots.php +++ b/phpBB/includes/acp/acp_bots.php @@ -35,6 +35,13 @@ class acp_bots $user->add_lang('acp/bots'); $this->tpl_name = 'acp_bots'; $this->page_title = 'ACP_BOTS'; + $form_key = 'acp_bots'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + $error[] = $user->lang['FORM_INVALID']; + } // User wants to do something, how inconsiderate of them! switch ($action) diff --git a/phpBB/includes/acp/acp_captcha.php b/phpBB/includes/acp/acp_captcha.php index 496f66e4f9..80b6b625e3 100644 --- a/phpBB/includes/acp/acp_captcha.php +++ b/phpBB/includes/acp/acp_captcha.php @@ -57,9 +57,12 @@ class acp_captcha $this->tpl_name = 'acp_captcha'; $this->page_title = 'ACP_VC_SETTINGS'; + $form_key = 'acp_captcha'; + add_form_key($form_key); + $submit = request_var('submit', ''); - - if ($submit) + + if ($submit && check_form_key($form_key)) { $config_vars = array_keys($config_vars); foreach ($config_vars as $config_var) @@ -73,6 +76,10 @@ class acp_captcha } trigger_error($user->lang['CONFIG_UPDATED'] . adm_back_link($this->u_action)); } + else if ($submit) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action)); + } else { diff --git a/phpBB/includes/acp/acp_disallow.php b/phpBB/includes/acp/acp_disallow.php index 4be61ad778..0423c4cc38 100644 --- a/phpBB/includes/acp/acp_disallow.php +++ b/phpBB/includes/acp/acp_disallow.php @@ -28,9 +28,17 @@ class acp_disallow $this->tpl_name = 'acp_disallow'; $this->page_title = 'ACP_DISALLOW_USERNAMES'; + $form_key = 'acp_disallow'; + add_form_key($form_key); + $disallow = (isset($_POST['disallow'])) ? true : false; $allow = (isset($_POST['allow'])) ? true : false; + if (($allow || $disallow) && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + if ($disallow) { $disallowed_user = str_replace('*', '%', utf8_normalize_nfc(request_var('disallowed_user', '', true))); diff --git a/phpBB/includes/acp/acp_email.php b/phpBB/includes/acp/acp_email.php index cc7c99c90b..7598b729c4 100644 --- a/phpBB/includes/acp/acp_email.php +++ b/phpBB/includes/acp/acp_email.php @@ -24,6 +24,9 @@ class acp_email $this->tpl_name = 'acp_email'; $this->page_title = 'ACP_MASS_EMAIL'; + $form_key = 'acp_email'; + add_form_key($form_key); + // Set some vars $submit = (isset($_POST['submit'])) ? true : false; $error = array(); @@ -41,6 +44,11 @@ class acp_email $use_queue = (isset($_POST['send_immediately'])) ? false : true; $priority = request_var('mail_priority_flag', MAIL_NORMAL_PRIORITY); + if (!check_form_key($form_key)) + { + $error[] = $user->lang['FORM_INVALID']; + } + if (!$subject) { $error[] = $user->lang['NO_EMAIL_SUBJECT']; diff --git a/phpBB/includes/acp/acp_forums.php b/phpBB/includes/acp/acp_forums.php index 446c67011d..521eafe437 100644 --- a/phpBB/includes/acp/acp_forums.php +++ b/phpBB/includes/acp/acp_forums.php @@ -25,6 +25,9 @@ class acp_forums $this->tpl_name = 'acp_forums'; $this->page_title = 'ACP_MANAGE_FORUMS'; + $form_key = 'acp_forums'; + add_form_key($form_key); + $action = request_var('action', ''); $update = (isset($_POST['update'])) ? true : false; $forum_id = request_var('f', 0); @@ -33,6 +36,12 @@ class acp_forums $forum_data = $errors = array(); + if ($update && !check_form_key($form_key)) + { + $update = false; + $error[] = $user->lang['FORM_INVALID']; + } + // Check additional permissions switch ($action) { diff --git a/phpBB/includes/acp/acp_groups.php b/phpBB/includes/acp/acp_groups.php index 6c8591818c..a024a55a81 100644 --- a/phpBB/includes/acp/acp_groups.php +++ b/phpBB/includes/acp/acp_groups.php @@ -24,6 +24,9 @@ class acp_groups $this->tpl_name = 'acp_groups'; $this->page_title = 'ACP_GROUPS_MANAGE'; + $form_key = 'acp_groups'; + add_form_key($form_key); + include($phpbb_root_path . 'includes/functions_user.' . $phpEx); // Check and set some common vars @@ -36,6 +39,7 @@ class acp_groups $start = request_var('start', 0); $update = (isset($_POST['update'])) ? true : false; + // Clear some vars $can_upload = (file_exists($phpbb_root_path . $config['avatar_path']) && @is_writable($phpbb_root_path . $config['avatar_path']) && $file_uploads) ? true : false; $group_row = array(); @@ -251,13 +255,18 @@ class acp_groups $error = array(); $user->add_lang('ucp'); - + $avatar_select = basename(request_var('avatar_select', '')); $category = basename(request_var('category', '')); // Did we submit? if ($update) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $group_name = utf8_normalize_nfc(request_var('group_name', '', true)); $group_desc = utf8_normalize_nfc(request_var('group_desc', '', true)); $group_type = request_var('group_type', GROUP_FREE); diff --git a/phpBB/includes/acp/acp_inactive.php b/phpBB/includes/acp/acp_inactive.php index a3eefdfaba..59b5a3d6e2 100755 --- a/phpBB/includes/acp/acp_inactive.php +++ b/phpBB/includes/acp/acp_inactive.php @@ -33,14 +33,23 @@ class acp_inactive $action = request_var('action', ''); $mark = (isset($_REQUEST['mark'])) ? request_var('mark', array(0)) : array(); $start = request_var('start', 0); + $submit = isset($_POST['submit']); // Sort keys $sort_days = request_var('st', 0); $sort_key = request_var('sk', 'i'); $sort_dir = request_var('sd', 'd'); - if (sizeof($mark)) + $form_key = 'acp_inactive'; + add_form_key($form_key); + + if ($submit && sizeof($mark)) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + switch ($action) { case 'activate': diff --git a/phpBB/includes/acp/acp_jabber.php b/phpBB/includes/acp/acp_jabber.php index b1580a0736..0878a3cd40 100644 --- a/phpBB/includes/acp/acp_jabber.php +++ b/phpBB/includes/acp/acp_jabber.php @@ -44,8 +44,16 @@ class acp_jabber $jab_package_size = request_var('jab_package_size', $config['jab_package_size']); $jab_use_ssl = request_var('jab_use_ssl', $config['jab_use_ssl']); + $form_name = 'acp_jabber'; + add_form_key($form_name); + if ($submit) { + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } + $error = array(); $message = $user->lang['JAB_SETTINGS_CHANGED']; diff --git a/phpBB/includes/acp/acp_language.php b/phpBB/includes/acp/acp_language.php index 71def79433..4246cc5a63 100644 --- a/phpBB/includes/acp/acp_language.php +++ b/phpBB/includes/acp/acp_language.php @@ -32,14 +32,19 @@ class acp_language $this->default_variables(); // Check and set some common vars - $action = request_var('action', ''); - $action = (isset($_POST['update_details'])) ? 'update_details' : $action; - $action = (isset($_POST['download_file'])) ? 'download_file' : $action; - $action = (isset($_POST['upload_file'])) ? 'upload_file' : $action; - $action = (isset($_POST['upload_data'])) ? 'upload_data' : $action; - $action = (isset($_POST['submit_file'])) ? 'submit_file' : $action; - $action = (isset($_POST['remove_store'])) ? 'details' : $action; + $action = (isset($_POST['update_details'])) ? 'update_details' : ''; + $action = (isset($_POST['download_file'])) ? 'download_file' : ''; + $action = (isset($_POST['upload_file'])) ? 'upload_file' : ''; + $action = (isset($_POST['upload_data'])) ? 'upload_data' : ''; + $action = (isset($_POST['submit_file'])) ? 'submit_file' : ''; + $action = (isset($_POST['remove_store'])) ? 'details' : ''; + + $submit = (empty($action)) ? false : true; + $action = (empty($action)) ? request_var('action', '') : $action; + + $form_name = 'acp_lang'; + add_form_key('acp_lang'); $lang_id = request_var('id', 0); if (isset($_POST['missing_file'])) @@ -59,7 +64,7 @@ class acp_language $this->tpl_name = 'acp_language'; $this->page_title = 'ACP_LANGUAGE_PACKS'; - if ($action == 'upload_data' && request_var('test_connection', '')) + if ($submit && $action == 'upload_data' && request_var('test_connection', '')) { $test_connection = false; $action = 'upload_file'; @@ -89,6 +94,7 @@ class acp_language switch ($action) { case 'upload_file': + include_once($phpbb_root_path . 'includes/functions_transfer.' . $phpEx); $method = request_var('method', ''); @@ -132,6 +138,11 @@ class acp_language case 'update_details': + if(!$submit || !check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } + if (!$lang_id) { trigger_error($user->lang['NO_LANG_ID'] . adm_back_link($this->u_action), E_USER_WARNING); @@ -162,6 +173,11 @@ class acp_language case 'submit_file': case 'download_file': case 'upload_data': + + if(!$submit || !check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } if (!$lang_id || empty($_POST['entry'])) { diff --git a/phpBB/includes/acp/acp_permission_roles.php b/phpBB/includes/acp/acp_permission_roles.php index 57fd4c1ea5..ea21f52da7 100644 --- a/phpBB/includes/acp/acp_permission_roles.php +++ b/phpBB/includes/acp/acp_permission_roles.php @@ -35,6 +35,9 @@ class acp_permission_roles $action = request_var('action', ''); $action = (isset($_POST['add'])) ? 'add' : $action; + $form_name = 'acp_permissions'; + add_form_key($form_name); + switch ($mode) { case 'admin_roles': @@ -134,6 +137,11 @@ class acp_permission_roles case 'add': + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } + $role_name = utf8_normalize_nfc(request_var('role_name', '', true)); $role_description = utf8_normalize_nfc(request_var('role_description', '', true)); $auth_settings = request_var('setting', array('' => 0)); diff --git a/phpBB/includes/acp/acp_permissions.php b/phpBB/includes/acp/acp_permissions.php index 4b06d2edad..f171d43c39 100644 --- a/phpBB/includes/acp/acp_permissions.php +++ b/phpBB/includes/acp/acp_permissions.php @@ -46,7 +46,6 @@ class acp_permissions $this->permission_trace($user_id, $forum_id, $permission); return; } - trigger_error('NO_MODE', E_USER_ERROR); } @@ -66,6 +65,9 @@ class acp_permissions $group_id = request_var('group_id', array(0)); $select_all_groups = request_var('select_all_groups', 0); + $form_name = 'acp_permissions'; + add_form_key($form_name); + // If select all groups is set, we pre-build the group id array (this option is used for other screens to link to the permission settings screen) if ($select_all_groups) { @@ -214,6 +216,11 @@ class acp_permissions switch ($action) { case 'delete': + + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } // All users/groups selected? $all_users = (isset($_POST['all_users'])) ? true : false; $all_groups = (isset($_POST['all_groups'])) ? true : false; @@ -247,6 +254,10 @@ class acp_permissions { trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING); } + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } $this->set_permissions($mode, $permission_type, $auth_admin, $user_id, $group_id); break; @@ -256,6 +267,10 @@ class acp_permissions { trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING); } + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } $this->set_all_permissions($mode, $permission_type, $auth_admin, $user_id, $group_id); break; diff --git a/phpBB/includes/acp/acp_ranks.php b/phpBB/includes/acp/acp_ranks.php index 950a645487..a01d30c7ab 100644 --- a/phpBB/includes/acp/acp_ranks.php +++ b/phpBB/includes/acp/acp_ranks.php @@ -31,10 +31,17 @@ class acp_ranks $this->tpl_name = 'acp_ranks'; $this->page_title = 'ACP_MANAGE_RANKS'; + $form_name = 'acp_prune'; + add_form_key($form_name); + switch ($action) { case 'save': - + + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } $rank_title = utf8_normalize_nfc(request_var('title', '', true)); $special_rank = request_var('special_rank', 0); $min_posts = ($special_rank) ? 0 : request_var('min_posts', 0); @@ -124,6 +131,11 @@ class acp_ranks case 'edit': case 'add': + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } + $data = $ranks = $existing_imgs = array(); $sql = 'SELECT * diff --git a/phpBB/includes/acp/acp_reasons.php b/phpBB/includes/acp/acp_reasons.php index ca9fbcb806..ec6fadcecf 100644 --- a/phpBB/includes/acp/acp_reasons.php +++ b/phpBB/includes/acp/acp_reasons.php @@ -30,6 +30,9 @@ class acp_reasons $this->tpl_name = 'acp_reasons'; $this->page_title = 'ACP_REASONS'; + $form_name = 'acp_reason'; + add_form_key('acp_reason'); + $error = array(); switch ($action) @@ -44,6 +47,10 @@ class acp_reasons if ($submit) { + if(!check_form_key($form_name)) + { + $error[] = $user->lang['FORM_INVALID']; + } // Reason specified? if (!$reason_row['reason_title'] || !$reason_row['reason_description']) { diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index e854e64dad..a7764a5d6e 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -37,6 +37,9 @@ class acp_users $submit = (isset($_POST['update'])) ? true : false; + $form_name = 'acp_users'; + add_form_key($form_name); + // Whois (special case) if ($action == 'whois') { @@ -218,6 +221,11 @@ class acp_users trigger_error($user->lang['CANNOT_BAN_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); } + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + $ban = array(); switch ($action) @@ -270,6 +278,11 @@ class acp_users trigger_error($user->lang['CANNOT_FORCE_REACT_YOURSELF'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); } + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + if ($user_row['user_type'] == USER_FOUNDER) { trigger_error($user->lang['CANNOT_FORCE_REACT_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); @@ -337,6 +350,11 @@ class acp_users trigger_error($user->lang['CANNOT_DEACTIVATE_YOURSELF'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); } + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + if ($user_row['user_type'] == USER_FOUNDER) { trigger_error($user->lang['CANNOT_DEACTIVATE_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); @@ -361,6 +379,11 @@ class acp_users case 'delsig': + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + $sql_ary = array( 'user_sig' => '', 'user_sig_bbcode_uid' => '', @@ -379,7 +402,12 @@ class acp_users break; case 'delavatar': - + + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + $sql_ary = array( 'user_avatar' => '', 'user_avatar_type' => 0, @@ -451,6 +479,11 @@ class acp_users case 'moveposts': + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + $user->add_lang('acp/forums'); $new_forum_id = request_var('new_f', 0); @@ -654,6 +687,11 @@ class acp_users $error[] = 'NEW_EMAIL_ERROR'; } + if (!check_form_key($form_name)) + { + $error[] = 'FORM_INVALID'; + } + // Which updates do we need to do? $update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false; $update_password = ($data['new_password'] && $user_row['user_password'] != md5($data['new_password'])) ? true : false; @@ -882,6 +920,11 @@ class acp_users // Delete entries if requested and able if (($deletemark || $deleteall) && $auth->acl_get('a_clearlogs')) { + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + $where_sql = ''; if ($deletemark && $marked) { @@ -907,6 +950,11 @@ class acp_users if ($submit && $message) { + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + add_log('admin', 'LOG_USER_FEEDBACK', $user_row['username']); add_log('mod', 0, 0, 'LOG_USER_FEEDBACK', $user_row['username']); add_log('user', $user_id, 'LOG_USER_GENERAL', $message); @@ -1027,6 +1075,10 @@ class acp_users { $error = array_merge($error, $cp_error); } + if (!check_form_key($form_name)) + { + $error[] = 'FORM_INVALID'; + } if (!sizeof($error)) { @@ -1205,6 +1257,11 @@ class acp_users 'post_sd' => array('string', false, 1, 1), )); + if (!check_form_key($form_name)) + { + $error[] = 'FORM_INVALID'; + } + if (!sizeof($error)) { $this->optionset($user_row, 'popuppm', $data['popuppm']); @@ -1368,6 +1425,12 @@ class acp_users if ($submit) { + + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + if (avatar_process_user($error, $user_row)) { trigger_error($user->lang['USER_AVATAR_UPDATED'] . adm_back_link($this->u_action . '&u=' . $user_row['user_id'])); @@ -1410,6 +1473,11 @@ class acp_users if ($submit) { + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + $rank_id = request_var('user_rank', 0); $sql = 'UPDATE ' . USERS_TABLE . " @@ -1467,7 +1535,12 @@ class acp_users { $error[] = implode('<br />', $message_parser->warn_msg); } - + + if (!check_form_key($form_name)) + { + $error = 'FORM_INVALID'; + } + if (!sizeof($error) && $submit) { $sql_ary = array( @@ -1733,6 +1806,12 @@ class acp_users // Add user to group? if ($submit) { + + if (!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + if (!$group_id) { trigger_error($user->lang['NO_GROUP'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); diff --git a/phpBB/includes/acp/acp_words.php b/phpBB/includes/acp/acp_words.php index 7e971d8e0f..10a317cc50 100644 --- a/phpBB/includes/acp/acp_words.php +++ b/phpBB/includes/acp/acp_words.php @@ -33,6 +33,9 @@ class acp_words $this->tpl_name = 'acp_words'; $this->page_title = 'ACP_WORDS'; + $form_name = 'acp_words'; + add_form_key($form_name); + switch ($action) { case 'edit': @@ -68,6 +71,11 @@ class acp_words break; case 'save': + + if(!check_form_key($form_name)) + { + trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING); + } $word_id = request_var('id', 0); $word = utf8_normalize_nfc(request_var('word', '', true)); $replacement = utf8_normalize_nfc(request_var('replacement', '', true)); |