From a35288b91e397a017b113dff0d89beccac380cd3 Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Tue, 9 Aug 2016 16:40:11 +0200 Subject: [PATCH] =?UTF-8?q?[fix]=C2=A0the=20file=20editor=20allows=20an=20?= =?UTF-8?q?invalid=20token.=20Tell=20the=20user=20and=20give=20a=20new=20o?= =?UTF-8?q?ne=20to=20re-submit.=20Fixes=20#111?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bureau/admin/bro_editor.php | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/bureau/admin/bro_editor.php b/bureau/admin/bro_editor.php index 536ca192..a975f355 100755 --- a/bureau/admin/bro_editor.php +++ b/bureau/admin/bro_editor.php @@ -29,6 +29,9 @@ */ require_once("../class/config.php"); +// We check it ourself : not fatal +define("NOCSRF",true); + $fields = array ( "editfile" => array ("request", "string", ""), "texte" => array ("post", "string", ""), @@ -39,6 +42,7 @@ $fields = array ( ); getFields($fields); +$editing=false; $editfile=ssla($editfile); $texte=ssla($texte); @@ -51,13 +55,24 @@ if (isset($cancel) && $cancel) { } if (isset($saveret) && $saveret) { - if ($bro->save($editfile,$R,$texte)) { - $error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date(_('%3$d-%2$d-%1$d %4$d:%5$d'),date("Y-m-d H:i:s")).")"; - } else { - $error=$err->errstr(); - } - include("bro_main.php"); - exit(); + $editing=true; + + // Thanks to this, we bring you back to the EDIT form if the CSRF is invalid. + // Allows you to re-submit + $error=""; + if (count($_POST) && !defined("NOCSRF")) { + if (csrf_check()<=0) { + $error=$err->errstr(); + } + } + + if ($error!="" && $bro->save($editfile,$R,$texte)) { + $error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date(_('%3$d-%2$d-%1$d %4$d:%5$d'),date("Y-m-d H:i:s")).")"; + include("bro_main.php"); + exit(); + } else { + $error=$err->errstr(); + } } if (isset($save) && $save) { if ($bro->save($editfile,$R,$texte)) { @@ -115,7 +130,12 @@ echo "
$content
";