mirror/php-monstra
1
0
Fork 0
mirror of https://github.com/monstra-cms/monstra.git synced 2025-08-04 12:17:42 +02:00
Code Issues Releases Wiki Activity

Files Manager Plugin: csrf vulnerability resolved

Browse Source
This commit is contained in:
Awilum
2012-10-03 15:11:58 +03:00
parent 582c469148
commit 167c1aac7a
2 changed files with 25 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
plugins/box/filesmanager/filesmanager.admin.php Normal file → Executable file
View File

@@ -75,31 +75,42 @@
// Delete file // Delete file
// ------------------------------------- // -------------------------------------
if (Request::get('id') == 'filesmanager') { if (Request::get('id') == 'filesmanager' && Request::get('delete_file')) {
if (Request::get('delete_file')) {
if (Security::check(Request::get('token'))) {
File::delete($files_path.Request::get('delete_file')); File::delete($files_path.Request::get('delete_file'));
Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path); Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
}
} else { die('csrf detected!'); }
} }
// Delete dir // Delete dir
// ------------------------------------- // -------------------------------------
if (Request::get('id') == 'filesmanager') { if (Request::get('id') == 'filesmanager' && Request::get('delete_dir')) {
if (Request::get('delete_dir')) {
if (Security::check(Request::get('token'))) {
Dir::delete($files_path.Request::get('delete_dir')); Dir::delete($files_path.Request::get('delete_dir'));
Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path); Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
}
} else { die('csrf detected!'); }
} }
// Upload file // Upload file
// ------------------------------------- // -------------------------------------
if (Request::post('upload_file')) { if (Request::post('upload_file')) {
if (Security::check(Request::post('csrf'))) {
if ($_FILES['file']) { if ($_FILES['file']) {
if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) { if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
move_uploaded_file($_FILES['file']['tmp_name'], $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), '-', true).'.'.File::ext($_FILES['file']['name'])); move_uploaded_file($_FILES['file']['tmp_name'], $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), '-', true).'.'.File::ext($_FILES['file']['name']));
Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path); Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
} }
} }
} else { die('csrf detected!'); }
} }
// Display view // Display view

5
plugins/box/filesmanager/views/backend/index.view.php Normal file → Executable file
View File

@@ -5,6 +5,7 @@
<?php <?php
echo ( echo (
Form::open(null, array('enctype' => 'multipart/form-data')). Form::open(null, array('enctype' => 'multipart/form-data')).
Form::hidden('csrf', Security::token()).
Form::input('file', null, array('type' => 'file', 'size' => '25')).Html::br(). Form::input('file', null, array('type' => 'file', 'size' => '25')).Html::br().
Form::submit('upload_file', __('Upload', 'filesmanager'), array('class' => 'btn default btn-small')). Form::submit('upload_file', __('Upload', 'filesmanager'), array('class' => 'btn default btn-small')).
Form::close() Form::close()
@@ -50,7 +51,7 @@
</td> </td>
<td> <td>
<?php echo Html::anchor(__('Delete', 'filesmanager'), <?php echo Html::anchor(__('Delete', 'filesmanager'),
'index.php?id=filesmanager&delete_dir='.$dir.'&path='.$path, 'index.php?id=filesmanager&delete_dir='.$dir.'&path='.$path.'&token='.Security::token(),
array('class' => 'btn', 'onclick' => "return confirmDelete('".__('Delete directory: :dir', 'filesmanager', array(':dir' => $dir))."')")); array('class' => 'btn', 'onclick' => "return confirmDelete('".__('Delete directory: :dir', 'filesmanager', array(':dir' => $dir))."')"));
?> ?>
</td> </td>
@@ -70,7 +71,7 @@
</td> </td>
<td> <td>
<?php echo Html::anchor(__('Delete', 'filesmanager'), <?php echo Html::anchor(__('Delete', 'filesmanager'),
'index.php?id=filesmanager&delete_file='.$file.'&path='.$path, 'index.php?id=filesmanager&delete_file='.$file.'&path='.$path.'&token='.Security::token(),
array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete file: :file', 'filesmanager', array(':file' => $file))."')")); array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete file: :file', 'filesmanager', array(':file' => $file))."')"));
?> ?>
</td> </td>