kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[wip] CSRF check should work better now...

This commit is contained in:
Benjamin Sonntag 2016-05-23 13:59:16 +02:00
parent 23a438de99
commit b205d6bf8a
3 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bureau/admin/menu.php
View File

@ -76,7 +76,8 @@ foreach ($obj_menu as $k => $m ) {
echo " </a>\n"; echo " </a>\n";
if (!empty($m['links'])) { if (!empty($m['links'])) {
echo "<div class='menu-content' id='menu-$k'>"; if ( $m['visibility']) $visible=""; else $visible="style=\"display: none\"";
echo "<div class='menu-content' id='menu-$k' $visible >";
echo " <ul>"; echo " <ul>";
foreach( $m['links'] as $l ) { foreach( $m['links'] as $l ) {
if ( $l['txt'] == 'progressbar' ) { if ( $l['txt'] == 'progressbar' ) {
@ -101,7 +102,6 @@ foreach ($obj_menu as $k => $m ) {
echo "</div>"; echo "</div>";
} }
echo "</div>"; echo "</div>";
if (! $m['visibility']) echo "<script type='text/javascript'>menu_toggle('menu-$k');</script>\n";
} }

6
bureau/admin/tempovars.php
View File

@ -1,12 +1,12 @@
<?php <?php
// Faut finir de le developper. Se fait appeler avec en POST les infos a stocker dans la variable de session // Faut finir de le developper. Se fait appeler avec en POST les infos a stocker dans la variable de session
// @TODO: have a whitelist of allowed key/values...
// Mis en pause => voir commentaire en bas de la classe m_mem // Mis en pause => voir commentaire en bas de la classe m_mem
define("NOCSRF","1"); // no csrf for js-posted data
require_once("../class/config.php"); require_once("../class/config.php");
// Don't uset getfields because we could have serialised object // but (csrf) we check POST, not REQUEST!
if ( empty($_POST['key']) || empty($_POST['val']) ) { if ( empty($_POST['key']) || empty($_POST['val']) ) {
die('1'); die('1');
} }

15
bureau/class/config.php
View File

@ -180,15 +180,16 @@ if ((variable_get('force_https', '0', "This variable is set to 0 (default) if us
// CHECK CSRF for ALL POSTS : // CHECK CSRF for ALL POSTS :
// you MUST add csrf_get(); after ALL <form method="post"> in AlternC ! // you MUST add csrf_get(); after ALL <form method="post"> in AlternC !
if (count($_POST)) {
$fatalcsrf=false;
if (count($_POST) && !defined("NOCSRF")) {
if (csrf_check()<=0) { if (csrf_check()<=0) {
$error=$err->errstr(); $error=$err->errstr();
require_once("main.php"); // We will trigger the error LATER in the code => need initialization of classes
exit(); $fatalcsrf=true;
} }
} }
/* Check the User identity (if required) */ /* Check the User identity (if required) */
if (!defined('NOCHECK')) { if (!defined('NOCHECK')) {
if (!$mem->checkid()) { if (!$mem->checkid()) {
@ -238,3 +239,9 @@ if ((variable_get('sql_max_username_length', NULL)==NULL)||(variable_get('sql_ma
} }
} }
if ($fatalcsrf) {
require_once("main.php");
exit();
}