added CSRF protection

This commit is contained in:
Roland Gruber 2015-05-14 11:49:56 +00:00
parent c34b040766
commit 10a47cb134
1 changed files with 7 additions and 1 deletions

View File

@ -545,6 +545,9 @@ class lamList {
* @return String HTML fragment to insert into beginning of account list * @return String HTML fragment to insert into beginning of account list
*/ */
protected function listDoPost() { protected function listDoPost() {
if (!empty($_POST)) {
validateSecurityToken();
}
// check if button was pressed and if we have to add/delete an account or call file upload // check if button was pressed and if we have to add/delete an account or call file upload
if (isset($_POST['new']) || isset($_POST['del']) || isset($_POST['fileUpload'])){ if (isset($_POST['new']) || isset($_POST['del']) || isset($_POST['fileUpload'])){
if (!checkIfWriteAccessIsAllowed($this->type)) { if (!checkIfWriteAccessIsAllowed($this->type)) {
@ -720,6 +723,7 @@ class lamList {
$container->addElement(new htmlHiddenInput($selAccounts[$i], 'on')); $container->addElement(new htmlHiddenInput($selAccounts[$i], 'on'));
} }
$container->addElement(new htmlHiddenInput('clickedAccount', $id)); $container->addElement(new htmlHiddenInput('clickedAccount', $id));
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $this->tabindex, $this->type); parseHtml(null, $container, array(), false, $this->tabindex, $this->type);
@ -826,6 +830,7 @@ class lamList {
*/ */
protected function listPrintFooter() { protected function listPrintFooter() {
?> ?>
<input type="hidden" name="<?php echo getSecurityTokenName(); ?>" value="<?php echo getSecurityTokenValue(); ?>">
</form></div></div> </form></div></div>
<script type="text/javascript"> <script type="text/javascript">
jQuery(document).ready(function() { jQuery(document).ready(function() {
@ -1031,7 +1036,8 @@ class lamList {
for ($i = 0; $i < sizeof($this->configOptions); $i++) { for ($i = 0; $i < sizeof($this->configOptions); $i++) {
$configContainer->mergeTableElements($this->configOptions[$i]->getMetaHTML()); $configContainer->mergeTableElements($this->configOptions[$i]->getMetaHTML());
} }
$configContainer->addElement(new htmlHiddenInput('saveConfigOptions', 'ok')); $configContainer->addElement(new htmlHiddenInput('saveConfigOptions', 'ok'));
addSecurityTokenToMetaHTML($configContainer);
parseHtml('', $configContainer, array(), false, $this->tabindex, $this->type); parseHtml('', $configContainer, array(), false, $this->tabindex, $this->type);