mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-01 12:20:44 +02:00
Code Issues Releases Wiki Activity

Forum quick-reply fix.

Browse Source
This commit is contained in:
Cameron
2013-06-19 19:54:29 -07:00
parent a1c768f847
commit 29f74508c2
5 changed files with 66 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
class2.php
View File

@@ -580,11 +580,11 @@ if(isset($pref['lan_global_list']))
$sql->db_Mark_Time('Start: CHAP challenge'); $sql->db_Mark_Time('Start: CHAP challenge');
$die = (e_AJAX_REQUEST == true) ? false : true; // prevent json breakage.
e107::getSession() e107::getSession()
->challenge() // Make sure there is a unique challenge string for CHAP login ->challenge() // Make sure there is a unique challenge string for CHAP login
->check(); // Token protection ->check($die); // Token protection
unset($die);
// //
// N: misc setups: online user tracking, cache // N: misc setups: online user tracking, cache

8
e107_handlers/admin_log_class.php
View File

@@ -715,12 +715,14 @@ class e_admin_log
* @param string Title for use inside the Log file * @param string Title for use inside the Log file
* @param boolean true = append to file, false = new file each save. * @param boolean true = append to file, false = new file each save.
*/ */
public function toFile($name,$logTitle='',$append=false) public function toFile($name, $logTitle='',$append=false)
{ {
$this->logFile = $name; $this->logFile = $name;
$this->saveToFile($logTitle,$append); $file = $this->saveToFile($logTitle,$append);
$this->logFile = null; $this->logFile = null;
return $file;
} }

39
e107_handlers/session_handler.php
View File

@@ -820,6 +820,7 @@ class e_core_session extends e_session
$this->end(); $this->end();
} }
/** /**
* Core CSF protection, see class2.php * Core CSF protection, see class2.php
* Could be adopted by plugins for their own (different) protection logic * Could be adopted by plugins for their own (different) protection logic
@@ -837,32 +838,45 @@ class e_core_session extends e_session
if($this->getSessionId()) if($this->getSessionId())
{ {
if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token'])) if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token']))
|| (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token']))) || (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token']))
|| (isset($_POST['e_token']) && !$this->checkFormToken($_POST['e_token']))) // '-' is not allowed in jquery. b
{ {
// if(defsettrue('e_DEBUG')) // if(defsettrue('e_DEBUG'))
{ {
$details = "USER: ".USERNAME."\n"; $details = "USER: ".USERNAME."\n";
$details = "HOST: ".$_SERVER['HTTP_HOST']."\n"; $details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
$details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n"; $details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
$details .= "e-token (POST): ".$_POST['e-token']."\n"; $details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
$details .= "e-token (GET): ".$_GET['e-token']."\n"; $details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";
$details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
$details .= "_SESSION:\n"; $details .= "_SESSION:\n";
$details .= print_r($_SESSION,true); $details .= print_r($_SESSION,true);
// $details .= "\n_POST:\n"; // $details .= "\n_POST:\n";
// $details .= print_r($_POST,true); // $details .= print_r($_POST,true);
// $details .= "\n_GET:\n"; // $details .= "\n_GET:\n";
// $details .= print_r($_GET,true); // $details .= print_r($_GET,true);
$details .= "\nPlugins:\n"; if($pref['plug_installed'])
$details .= print_r($pref['plug_installed'],true); {
$details .= "\nPlugins:\n";
$details .= print_r($pref['plug_installed'],true);
}
$details .= "die = ".($die == true ? 'true' : 'false')."\n\n---------------------------------\n\n";
$log = e107::getAdminLog(); $log = e107::getAdminLog();
$log->addDebug($details); $log->addDebug($details);
$log->toFile('Unauthorized_access','Unauthorized access Log', true); $log->toFile('Unauthorized_access','Unauthorized access Log', true);
$log->add('Unauthorized access!', $details, E_LOG_FATAL); $log->add('Unauthorized access!', $details, E_LOG_FATAL);
// e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL); // e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);
} }
// do not redirect, prevent dead loop, save server resources // do not redirect, prevent dead loop, save server resources
if($die) die('Unauthorized access!'); if($die == true)
{
die('Unauthorized access!');
}
return false; return false;
} }
} }
@@ -883,8 +897,21 @@ class e_core_session extends e_session
} }
define('e_TOKEN', $this->getFormToken()); define('e_TOKEN', $this->getFormToken());
} }
return true; return true;
} }
/**
* Manually Reset the Token.
* @see e107forum::ajaxQuickReply();
*/
public function reset()
{
$this->_regenerateFormToken()->clear('__form_token_regenerate');
}
/** /**
* Make sure there is unique challenge string for CHAP login * Make sure there is unique challenge string for CHAP login

24
e107_plugins/forum/forum_class.php
View File

@@ -27,7 +27,7 @@ $(document).ready(function()
var post = $(this).attr('data-forum-post'); var post = $(this).attr('data-forum-post');
var text = $('#forum-quickreply-text').val(); var text = $('#forum-quickreply-text').val();
var insert = $(this).attr('data-forum-insert'); var insert = $(this).attr('data-forum-insert');
var token = $(this).attr('data-token');
if(action != 'stick' && action !='unstick') if(action != 'stick' && action !='unstick')
@@ -40,8 +40,9 @@ $(document).ready(function()
$.ajax({ $.ajax({
type: "POST", type: "POST",
url: script, url: script,
data: { thread: thread, action: action, post: post, text: text, insert:insert }, data: { thread: thread, action: action, post: post, text: text, insert:insert, e_token: token },
success: function(data) { success: function(data) {
// alert(data); // alert(data);
var d = $.parseJSON(data); var d = $.parseJSON(data);
@@ -189,6 +190,16 @@ class e107forum
function ajaxQuickReply() function ajaxQuickReply()
{ {
$tp = e107::getParser(); $tp = e107::getParser();
if(!e107::getSession()->check(false))
{
//$ret['status'] = 'ok';
// $ret['msg'] = "Token Error";
// echo json_encode($ret);
exit;
}
if(varset($_POST['action']) == 'quickreply' && vartrue($_POST['text'])) if(varset($_POST['action']) == 'quickreply' && vartrue($_POST['text']))
{ {
@@ -223,7 +234,7 @@ class e107forum
$tmpl = e107::getTemplate('forum','forum_viewtopic','replies'); $tmpl = e107::getTemplate('forum','forum_viewtopic','replies');
$sc = e107::getScBatch('view', 'forum'); $sc = e107::getScBatch('view', 'forum');
$sc->setScVar('postInfo', $postInfo); $sc->setScVar('postInfo', $postInfo);
$ret['html'] = $tp->parseTemplate($tmpl, true, vartrue($forum_shortcodes)) . "\n"; $ret['html'] = $tp->parseTemplate($tmpl, true, $sc) . "\n";
} }
else else
{ {
@@ -237,6 +248,7 @@ class e107forum
echo json_encode($ret); echo json_encode($ret);
} }
e107::getSession()->reset();
exit; exit;
} }
@@ -246,6 +258,12 @@ class e107forum
function ajaxModerate() function ajaxModerate()
{ {
if(!ADMIN) //FIXME check permissions per forum.
{
exit;
}
if(!vartrue($_POST['thread']) && !vartrue($_POST['post'])) if(!vartrue($_POST['thread']) && !vartrue($_POST['post']))
{ {
exit; exit;

6
e107_plugins/forum/forum_viewtopic.php
View File

@@ -376,16 +376,18 @@ if ($forum->checkPerm($thread->threadInfo['thread_forum_id'], 'post') && $thread
$ajaxInsert = ($thread->pages == $thread->page || $thread->pages == 0) ? 1 : 0; $ajaxInsert = ($thread->pages == $thread->page || $thread->pages == 0) ? 1 : 0;
// echo "AJAX-INSERT=".$ajaxInsert ."(".$thread->pages." vs ".$thread->page.")"; // echo "AJAX-INSERT=".$ajaxInsert ."(".$thread->pages." vs ".$thread->page.")";
$frm = e107::getForm();
$tVars->QUICKREPLY = " $tVars->QUICKREPLY = "
<form action='" . $e107->url->create('forum/thread/reply', array('id' => $thread->threadId)) . "' method='post'> <form action='" . $e107->url->create('forum/thread/reply', array('id' => $thread->threadId)) . "' method='post'>
<textarea cols='80' placeholder='".LAN_FORUM_2007."' rows='4' id='forum-quickreply-text' class='tbox input-xxlarge' name='post' onselect='storeCaret(this);' onclick='storeCaret(this);' onkeyup='storeCaret(this);'></textarea> <textarea cols='80' placeholder='".LAN_FORUM_2007."' rows='4' id='forum-quickreply-text' class='tbox input-xxlarge' name='post' onselect='storeCaret(this);' onclick='storeCaret(this);' onkeyup='storeCaret(this);'></textarea>
<div class='center'> <div class='center'>
<input type='submit' data-forum-insert='".$ajaxInsert."' data-forum-post='".$thread->threadInfo['thread_forum_id']."' data-forum-thread='".$threadId."' data-forum-action='quickreply' name='reply' value='".LAN_FORUM_2006. "' class='btn btn-success button' /> <input type='submit' data-token='".e_TOKEN."' data-forum-insert='".$ajaxInsert."' data-forum-post='".$thread->threadInfo['thread_forum_id']."' data-forum-thread='".$threadId."' data-forum-action='quickreply' name='reply' value='".LAN_FORUM_2006. "' class='btn btn-success button' />
<input type='hidden' name='thread_id' value='$thread_parent' /> <input type='hidden' name='thread_id' value='$thread_parent' />
</div> </div>
</form>"; </form>";
// Preview should be reserved for the full 'Post reply' page. <input type='submit' name='fpreview' value='" . Preview . "' class='btn button' /> &nbsp; // Preview should be reserved for the full 'Post reply' page. <input type='submit' name='fpreview' value='" . Preview . "' class='btn button' /> &nbsp;
} }
else else