mirror/php-monstra
1
0
Fork 0
mirror of https://github.com/monstra-cms/monstra.git synced 2025-08-03 11:47:51 +02:00
Code Issues Releases Wiki Activity

Backup Plugin: csrf vulnerability resolved

Browse Source
This commit is contained in:
Awilum
2012-10-03 13:46:00 +03:00
parent d36c06d8a6
commit 3f7b10592f
2 changed files with 29 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
plugins/box/backup/backup.admin.php Normal file → Executable file
View File

@@ -17,6 +17,8 @@
// ------------------------------------- // -------------------------------------
if (Request::post('create_backup')) { if (Request::post('create_backup')) {
if (Security::check(Request::post('csrf'))) {
@set_time_limit(0); @set_time_limit(0);
@ini_set("memory_limit", "512M"); @ini_set("memory_limit", "512M");
@@ -32,21 +34,28 @@
if (Request::post('add_plugins_folder')) $zip->readDir(PLUGINS . DS, false); if (Request::post('add_plugins_folder')) $zip->readDir(PLUGINS . DS, false);
$zip->archive($backups_path . DS . Date::format(time(), "Y-m-d-H-i-s").'.zip'); $zip->archive($backups_path . DS . Date::format(time(), "Y-m-d-H-i-s").'.zip');
} else { die('csrf detected!'); }
} }
// Delete backup // Delete backup
// ------------------------------------- // -------------------------------------
if (Request::get('sub_id') == 'backup') { if (Request::get('sub_id') == 'backup' && Request::get('delete_file')) {
if (Request::get('delete_file')) {
if (Security::check(Request::get('token'))) {
File::delete($backups_path . DS . Request::get('delete_file')); File::delete($backups_path . DS . Request::get('delete_file'));
Request::redirect(Option::get('siteurl').'admin/index.php?id=backup'); Request::redirect(Option::get('siteurl').'admin/index.php?id=backup');
}
} else { die('csrf detected!'); }
} }
// Download backup // Download backup
// ------------------------------------- // -------------------------------------
if (Request::get('download')) { if (Request::get('download')) {
if (Security::check(Request::get('token'))) {
File::download($backups_path . DS . Request::get('download')); File::download($backups_path . DS . Request::get('download'));
} else { die('csrf detected!'); }
} }
// Get backup list // Get backup list

5
plugins/box/backup/views/backend/index.view.php Normal file → Executable file
View File

@@ -10,6 +10,7 @@ $().ready(function(){$('[name=create_backup]').click(function(){$(this).button('
<?php <?php
echo ( echo (
Form::open() . Form::open() .
Form::hidden('csrf', Security::token()).
Form::checkbox('add_storage_folder', null, true, array('disabled' => 'disabled')) . ' ' . __('storage', 'backup') . ' ' . Html::nbsp(2) . Form::checkbox('add_storage_folder', null, true, array('disabled' => 'disabled')) . ' ' . __('storage', 'backup') . ' ' . Html::nbsp(2) .
Form::checkbox('add_public_folder') . ' ' . __('public', 'backup') . ' ' . Html::nbsp(2) . Form::checkbox('add_public_folder') . ' ' . __('public', 'backup') . ' ' . Html::nbsp(2) .
Form::checkbox('add_plugins_folder') . ' ' . __('plugins', 'backup') . ' ' . Html::nbsp(2) . Form::checkbox('add_plugins_folder') . ' ' . __('plugins', 'backup') . ' ' . Html::nbsp(2) .
@@ -32,12 +33,12 @@ $().ready(function(){$('[name=create_backup]').click(function(){$(this).button('
<tr> <tr>
<td> <td>
<?php $name = strtotime(str_replace('-', '', basename($backup, '.zip'))); ?> <?php $name = strtotime(str_replace('-', '', basename($backup, '.zip'))); ?>
<?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'admin/index.php?id=backup&download='.$backup); ?> <?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'admin/index.php?id=backup&download='.$backup.'&token='.Security::token()); ?>
</td> </td>
<td><?php echo Number::byteFormat(filesize(ROOT . DS . 'backups' . DS . $backup)); ?></td> <td><?php echo Number::byteFormat(filesize(ROOT . DS . 'backups' . DS . $backup)); ?></td>
<td> <td>
<?php echo Html::anchor(__('Delete', 'backup'), <?php echo Html::anchor(__('Delete', 'backup'),
'index.php?id=system&sub_id=backup&delete_file='.$backup, 'index.php?id=system&sub_id=backup&delete_file='.$backup.'&token='.Security::token(),
array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete backup: :backup', 'backup', array(':backup' => Date::format($name, 'F jS, Y - g:i A')))."')")); array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete backup: :backup', 'backup', array(':backup' => Date::format($name, 'F jS, Y - g:i A')))."')"));
?> ?>
</td> </td>