From 831a4d8ecbe08cae58643e502dddd2137e5a184c Mon Sep 17 00:00:00 2001
From: Awilum <awilum@msn.com>
Date: Wed, 3 Oct 2012 14:57:11 +0300
Subject: [PATCH] Themes Plugin: csrf vulnerability resolved

---
 plugins/box/themes/themes.admin.php           | 99 +++++++++++++------
 .../box/themes/views/backend/index.view.php   | 16 +--
 2 files changed, 79 insertions(+), 36 deletions(-)
 mode change 100644 => 100755 plugins/box/themes/themes.admin.php
 mode change 100644 => 100755 plugins/box/themes/views/backend/index.view.php

diff --git a/plugins/box/themes/themes.admin.php b/plugins/box/themes/themes.admin.php
old mode 100644
new mode 100755
index 705b89b..17c8cd4
--- a/plugins/box/themes/themes.admin.php
+++ b/plugins/box/themes/themes.admin.php
@@ -459,70 +459,113 @@
                     // Delete chunk
                     // -------------------------------------  
                     case "delete_chunk":
-                        File::delete($chunk_path.Request::get('filename').'.chunk.php');
-                        Notification::set('success', __('Chunk <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
-                        Request::redirect('index.php?id=themes');
+
+                        if (Security::check(Request::get('token'))) {
+
+                            File::delete($chunk_path.Request::get('filename').'.chunk.php');
+                            Notification::set('success', __('Chunk <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
+                            Request::redirect('index.php?id=themes');
+
+                        } else { die('csrf detected!'); }                      
+
                     break;
 
 
                     // Delete styles
                     // -------------------------------------  
                     case "delete_styles":
-                        File::delete($style_path.Request::get('filename').'.css');
-                        Notification::set('success', __('Styles <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
-                        Request::redirect('index.php?id=themes');
+
+                        if (Security::check(Request::get('token'))) {
+
+                            File::delete($style_path.Request::get('filename').'.css');
+                            Notification::set('success', __('Styles <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
+                            Request::redirect('index.php?id=themes');
+
+                        } else { die('csrf detected!'); }                      
+
                     break;
                     
                     // Delete script
                     // -------------------------------------  
                     case "delete_script":
-                        File::delete($script_path.Request::get('filename').'.js');
-                        Notification::set('success', __('Script <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
-                        Request::redirect('index.php?id=themes');
+                        
+                        if (Security::check(Request::get('token'))) {
+
+                            File::delete($script_path.Request::get('filename').'.js');
+                            Notification::set('success', __('Script <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
+                            Request::redirect('index.php?id=themes');
+
+                        } else { die('csrf detected!'); }                      
+
                     break;
 
                     // Delete template
                     // -------------------------------------  
                     case "delete_template":
-                        File::delete($template_path.Request::get('filename').'.template.php');
-                        Notification::set('success', __('Template <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
-                        Request::redirect('index.php?id=themes');
+                        
+                        if (Security::check(Request::get('token'))) {
+
+                            File::delete($template_path.Request::get('filename').'.template.php');
+                            Notification::set('success', __('Template <i>:name</i> deleted', 'themes', array(':name' => File::name(Request::get('filename')))));
+                            Request::redirect('index.php?id=themes');
+                        }
+
                     break;
 
                     // Clone styles
                     // ------------------------------------- 
                     case "clone_styles":
-                        File::setContent(THEMES_SITE . DS . $current_site_theme . DS . 'css' . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.css',
-                                         File::getContent(THEMES_SITE . DS . $current_site_theme . DS . 'css' . DS . Request::get('filename') . '.css'));
-                                         
-                        Request::redirect('index.php?id=themes');
+
+                        if (Security::check(Request::get('token'))) {
+
+                            File::setContent(THEMES_SITE . DS . $current_site_theme . DS . 'css' . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.css',
+                                             File::getContent(THEMES_SITE . DS . $current_site_theme . DS . 'css' . DS . Request::get('filename') . '.css'));
+                                             
+                            Request::redirect('index.php?id=themes');
+                        }
+
                     break;
 
                     // Clone script
                     // ------------------------------------- 
                     case "clone_script":
-                        File::setContent(THEMES_SITE . DS . $current_site_theme . DS . 'js' . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.js',
-                                         File::getContent(THEMES_SITE . DS . $current_site_theme . DS . 'js' . DS . Request::get('filename') . '.js'));
-                                         
-                        Request::redirect('index.php?id=themes');
+                        
+                        if (Security::check(Request::get('token'))) {
+
+                            File::setContent(THEMES_SITE . DS . $current_site_theme . DS . 'js' . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.js',
+                                             File::getContent(THEMES_SITE . DS . $current_site_theme . DS . 'js' . DS . Request::get('filename') . '.js'));
+                                             
+                            Request::redirect('index.php?id=themes');
+                        }
+
                     break;
 
                     // Clone template
                     // ------------------------------------- 
                     case "clone_template":
-                        File::setContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.template.php',
-                                         File::getContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') . '.template.php'));
-                                         
-                        Request::redirect('index.php?id=themes');
+
+                        if (Security::check(Request::get('token'))) {
+
+                            File::setContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.template.php',
+                                             File::getContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') . '.template.php'));
+                                             
+                            Request::redirect('index.php?id=themes');
+
+                        }
+
                     break;
 
                     // Clone chunk
                     // ------------------------------------- 
                     case "clone_chunk":
-                        File::setContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.chunk.php',
-                                         File::getContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') . '.chunk.php'));
-                                         
-                        Request::redirect('index.php?id=themes');
+
+                        if (Security::check(Request::get('token'))) {
+                            File::setContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') .'_clone_'.date("Ymd_His").'.chunk.php',
+                                             File::getContent(THEMES_SITE . DS . $current_site_theme . DS . Request::get('filename') . '.chunk.php'));
+                                             
+                            Request::redirect('index.php?id=themes');
+                        }
+                        
                     break;
                     
                 }
diff --git a/plugins/box/themes/views/backend/index.view.php b/plugins/box/themes/views/backend/index.view.php
old mode 100644
new mode 100755
index e529208..2cf8f44
--- a/plugins/box/themes/views/backend/index.view.php
+++ b/plugins/box/themes/views/backend/index.view.php
@@ -73,10 +73,10 @@
                     <?php echo Html::anchor(__('Edit', 'themes'), 'index.php?id=themes&action=edit_template&filename='.basename($template, '.template.php'), array('class' => 'btn btn-actions')); ?>
                     <a class="btn dropdown-toggle btn-actions" data-toggle="dropdown" href="#" style="font-family:arial;"><span class="caret"></span></a>
                     <ul class="dropdown-menu">
-                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_template&filename='.basename($template, '.template.php'), array('title' => __('Clone'))); ?></li>
+                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_template&filename='.basename($template, '.template.php').'&token='.Security::token(), array('title' => __('Clone'))); ?></li>
                     </ul>            
                     <?php echo Html::anchor(__('Delete', 'themes'),
-                               'index.php?id=themes&action=delete_template&filename='.basename($template, '.template.php'),
+                               'index.php?id=themes&action=delete_template&filename='.basename($template, '.template.php').'&token='.Security::token(),
                                array('class' => 'btn btn-actions btn-actions-default', 'onclick' => "return confirmDelete('".__('Delete template: :name', 'themes', array(':name' => basename($template, '.template.php')))."')"));
                     ?>
                 </div>
@@ -105,10 +105,10 @@
                     <?php echo Html::anchor(__('Edit', 'themes'), 'index.php?id=themes&action=edit_chunk&filename='.basename($chunk, '.chunk.php'), array('class' => 'btn btn-actions')); ?>
                     <a class="btn dropdown-toggle btn-actions" data-toggle="dropdown" href="#" style="font-family:arial;"><span class="caret"></span></a>
                     <ul class="dropdown-menu">
-                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_chunk&filename='.basename($chunk, '.chunk.php'), array('title' => __('Clone', 'themes'))); ?></li>
+                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_chunk&filename='.basename($chunk, '.chunk.php').'&token='.Security::token(), array('title' => __('Clone', 'themes'))); ?></li>
                     </ul>            
                     <?php echo Html::anchor(__('Delete', 'themes'),
-                               'index.php?id=themes&action=delete_chunk&filename='.basename($chunk, '.chunk.php'),
+                               'index.php?id=themes&action=delete_chunk&filename='.basename($chunk, '.chunk.php').'&token='.Security::token(),
                                array('class' => 'btn btn-actions btn-actions-default', 'onclick' => "return confirmDelete('".__('Delete chunk: :name', 'themes', array(':name' => basename($chunk, '.chunk.php')))."')"));
                     ?>
                 </div>
@@ -137,10 +137,10 @@
                     <?php echo Html::anchor(__('Edit', 'themes'), 'index.php?id=themes&action=edit_styles&filename='.basename($style, '.css'), array('class' => 'btn btn-actions')); ?>
                     <a class="btn dropdown-toggle btn-actions" data-toggle="dropdown" href="#" style="font-family:arial;"><span class="caret"></span></a>
                     <ul class="dropdown-menu">
-                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_styles&filename='.basename($style, '.css'), array('title' => __('Clone', 'themes'))); ?></li>
+                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_styles&filename='.basename($style, '.css').'&token='.Security::token(), array('title' => __('Clone', 'themes'))); ?></li>
                     </ul>            
                     <?php echo Html::anchor(__('Delete', 'themes'),
-                               'index.php?id=themes&action=delete_styles&filename='.basename($style, '.css'),
+                               'index.php?id=themes&action=delete_styles&filename='.basename($style, '.css').'&token='.Security::token(),
                                array('class' => 'btn btn-actions btn-actions-default', 'onclick' => "return confirmDelete('".__('Delete styles: :name', 'themes', array(':name' => basename($style, '.css')))."')"));
                     ?>
                 </div>
@@ -169,10 +169,10 @@
                     <?php echo Html::anchor(__('Edit', 'themes'), 'index.php?id=themes&action=edit_script&filename='.basename($script, '.js'), array('class' => 'btn btn-actions')); ?>
                     <a class="btn dropdown-toggle btn-actions" data-toggle="dropdown" href="#" style="font-family:arial;"><span class="caret"></span></a>
                     <ul class="dropdown-menu">
-                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_script&filename='.basename($script, '.js'), array('title' => __('Clone', 'themes'))); ?></li>
+                        <li><?php echo Html::anchor(__('Clone', 'themes'), 'index.php?id=themes&action=clone_script&filename='.basename($script, '.js').'&token='.Security::token(), array('title' => __('Clone', 'themes'))); ?></li>
                     </ul>            
                     <?php echo Html::anchor(__('Delete', 'themes'),
-                               'index.php?id=themes&action=delete_script&filename='.basename($script, '.js'),
+                               'index.php?id=themes&action=delete_script&filename='.basename($script, '.js').'&token='.Security::token(),
                                array('class' => 'btn btn-actions btn-actions-default', 'onclick' => "return confirmDelete('".__('Delete script: :name', 'themes', array(':name' => basename($script, '.js')))."')"));
                     ?>
                 </div>