mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-04-21 00:02:18 +02:00
Code Issues Releases Wiki Activity

Merge branch '3.2.x'

Browse Source 
* 3.2.x:
  [ticket/14789] Add form tokens to tests and uncomment add_form_key
  [ticket/14789] Add link hashes and form tokens to all acp links/buttons
This commit is contained in:
Tristan Darricau 2016-09-18 21:17:18 +02:00
commit 3c2b7d026b
No known key found for this signature in database
GPG Key ID: 817043C2E29DB881
9 changed files with 118 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
phpBB/includes/acp/acp_database.php
View File

@ -38,6 +38,14 @@ class acp_database
$action = $request->variable('action', '');
$form_key = 'acp_database';
add_form_key($form_key);
if ($submit && !check_form_key($form_key))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$template->assign_vars(array(
'MODE' => $mode
));

18
phpBB/includes/acp/acp_icons.php
View File

@ -40,6 +40,15 @@ class acp_icons
$action = (isset($_POST['edit'])) ? 'edit' : $action;
$action = (isset($_POST['import'])) ? 'import' : $action;
$icon_id = $request->variable('id', 0);
$submit = $request->is_set_post('submit', false);
$form_key = 'acp_icons';
add_form_key($form_key);
if ($submit && !check_form_key($form_key))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$mode = ($mode == 'smilies') ? 'smilies' : 'icons';
@ -822,6 +831,11 @@ class acp_icons
case 'move_up':
case 'move_down':
if (!check_link_hash($request->variable('hash', ''), 'acp_icons'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
// Get current order id...
$sql = "SELECT {$fields}_order as current_order
FROM $table
@ -941,8 +955,8 @@ class acp_icons
'EMOTION' => (isset($row['emotion'])) ? $row['emotion'] : '',
'U_EDIT' => $this->u_action . '&action=edit&id=' . $row[$fields . '_id'],
'U_DELETE' => $this->u_action . '&action=delete&id=' . $row[$fields . '_id'],
'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start,
'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start,
'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start . '&hash=' . generate_link_hash('acp_icons'),
'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start . '&hash=' . generate_link_hash('acp_icons'),
));
if (!$spacer && !$row['display_on_posting'])

7
phpBB/includes/acp/acp_language.php
View File

@ -244,6 +244,11 @@ class acp_language
break;
case 'install':
if (!check_link_hash($request->variable('hash', ''), 'acp_language'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$lang_iso = $request->variable('iso', '');
$lang_iso = basename($lang_iso);
@ -405,7 +410,7 @@ class acp_language
'ISO' => htmlspecialchars($lang_ary['iso']),
'LOCAL_NAME' => htmlspecialchars($lang_ary['local_name'], ENT_COMPAT, 'UTF-8'),
'NAME' => htmlspecialchars($lang_ary['name'], ENT_COMPAT, 'UTF-8'),
'U_INSTALL' => $this->u_action . '&action=install&iso=' . urlencode($lang_ary['iso']))
'U_INSTALL' => $this->u_action . '&action=install&iso=' . urlencode($lang_ary['iso']) . '&hash=' . generate_link_hash('acp_language'))
);
}
}

30
phpBB/includes/acp/acp_modules.php
View File

@ -50,6 +50,9 @@ class acp_modules
$user->add_lang('acp/modules');
$this->tpl_name = 'acp_modules';
$form_key = 'acp_modules';
add_form_key($form_key);
// module class
$this->module_class = $mode;
@ -130,6 +133,11 @@ class acp_modules
trigger_error($user->lang['NO_MODULE_ID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING);
}
if (!check_link_hash($request->variable('hash', ''), 'acp_modules'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING);
}
$sql = 'SELECT *
FROM ' . MODULES_TABLE . "
WHERE module_class = '" . $db->sql_escape($this->module_class) . "'
@ -161,6 +169,11 @@ class acp_modules
trigger_error($user->lang['NO_MODULE_ID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING);
}
if (!check_link_hash($request->variable('hash', ''), 'acp_modules'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING);
}
$sql = 'SELECT *
FROM ' . MODULES_TABLE . "
WHERE module_class = '" . $db->sql_escape($this->module_class) . "'
@ -305,6 +318,11 @@ class acp_modules
if ($submit)
{
if (!check_form_key($form_key))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING);
}
if (!$module_data['module_langname'])
{
trigger_error($user->lang['NO_MODULE_LANGNAME'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING);
@ -506,12 +524,12 @@ class acp_modules
'S_ACP_MODULE_MANAGEMENT' => ($this->module_class == 'acp' && ($row['module_basename'] == 'modules' || $row['module_langname'] == 'ACP_MODULE_MANAGEMENT')) ? true : false,
'U_MODULE' => $this->u_action . '&parent_id=' . $row['module_id'],
'U_MOVE_UP' => $url . '&action=move_up',
'U_MOVE_DOWN' => $url . '&action=move_down',
'U_MOVE_UP' => $url . '&action=move_up&hash=' . generate_link_hash('acp_modules'),
'U_MOVE_DOWN' => $url . '&action=move_down&hash=' . generate_link_hash('acp_modules'),
'U_EDIT' => $url . '&action=edit',
'U_DELETE' => $url . '&action=delete',
'U_ENABLE' => $url . '&action=enable',
'U_DISABLE' => $url . '&action=disable')
'U_ENABLE' => $url . '&action=enable&hash=' . generate_link_hash('acp_modules'),
'U_DISABLE' => $url . '&action=disable&hash=' . generate_link_hash('acp_modules'))
);
}
while ($row = $db->sql_fetchrow($result));
@ -538,8 +556,8 @@ class acp_modules
'U_EDIT' => $url . '&action=edit',
'U_DELETE' => $url . '&action=delete',
'U_ENABLE' => $url . '&action=enable',
'U_DISABLE' => $url . '&action=disable')
'U_ENABLE' => $url . '&action=enable&hash=' . generate_link_hash('acp_modules'),
'U_DISABLE' => $url . '&action=disable&hash=' . generate_link_hash('acp_modules'))
);
}
$db->sql_freeresult($result);

9
phpBB/includes/acp/acp_permission_roles.php
View File

@ -367,6 +367,11 @@ class acp_permission_roles
case 'move_up':
case 'move_down':
if (!check_link_hash($request->variable('hash', ''), 'acp_permission_roles'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'SELECT role_order
FROM ' . ACL_ROLES_TABLE . "
WHERE role_id = $role_id";
@ -441,8 +446,8 @@ class acp_permission_roles
'U_EDIT' => $this->u_action . '&action=edit&role_id=' . $row['role_id'],
'U_REMOVE' => $this->u_action . '&action=remove&role_id=' . $row['role_id'],
'U_MOVE_UP' => $this->u_action . '&action=move_up&role_id=' . $row['role_id'],
'U_MOVE_DOWN' => $this->u_action . '&action=move_down&role_id=' . $row['role_id'],
'U_MOVE_UP' => $this->u_action . '&action=move_up&role_id=' . $row['role_id'] . '&hash=' . generate_link_hash('acp_permission_roles'),
'U_MOVE_DOWN' => $this->u_action . '&action=move_down&role_id=' . $row['role_id'] . '&hash=' . generate_link_hash('acp_permission_roles'),
'U_DISPLAY_ITEMS' => ($row['role_id'] == $display_item) ? '' : $this->u_action . '&display_item=' . $row['role_id'] . '#assigned_to')
);

29
phpBB/includes/acp/acp_profile.php
View File

@ -56,6 +56,9 @@ class acp_profile
$error = array();
$form_key = 'acp_profile';
add_form_key($form_key);
if (!$field_id && in_array($action, array('delete','activate', 'deactivate', 'move_up', 'move_down', 'edit')))
{
trigger_error($user->lang['NO_FIELD_ID'] . adm_back_link($this->u_action), E_USER_WARNING);
@ -166,6 +169,11 @@ class acp_profile
case 'activate':
if (!check_link_hash($request->variable('hash', ''), 'acp_profile'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'SELECT lang_id
FROM ' . LANG_TABLE . "
WHERE lang_iso = '" . $db->sql_escape($config['default_lang']) . "'";
@ -206,6 +214,11 @@ class acp_profile
case 'deactivate':
if (!check_link_hash($request->variable('hash', ''), 'acp_profile'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'UPDATE ' . PROFILE_FIELDS_TABLE . "
SET field_active = 0
WHERE field_id = $field_id";
@ -235,6 +248,11 @@ class acp_profile
case 'move_up':
case 'move_down':
if (!check_link_hash($request->variable('hash', ''), 'acp_profile'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'SELECT field_order
FROM ' . PROFILE_FIELDS_TABLE . "
WHERE field_id = $field_id";
@ -584,6 +602,11 @@ class acp_profile
if (!sizeof($error))
{
if (!check_form_key($form_key))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if (($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) || ($action == 'edit' && $save))
{
$this->save_profile_field($cp, $field_type, $action);
@ -740,12 +763,12 @@ class acp_profile
'FIELD_TYPE' => $profile_field->get_name(),
'L_ACTIVATE_DEACTIVATE' => $user->lang[$active_lang],
'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id",
'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'),
'U_EDIT' => $this->u_action . "&action=edit&field_id=$id",
'U_TRANSLATE' => $this->u_action . "&action=edit&field_id=$id&step=3",
'U_DELETE' => $this->u_action . "&action=delete&field_id=$id",
'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id",
'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id",
'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'),
'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'),
'S_NEED_EDIT' => $s_need_edit)
);

9
phpBB/includes/acp/acp_reasons.php
View File

@ -281,6 +281,11 @@ class acp_reasons
case 'move_up':
case 'move_down':
if (!check_link_hash($request->variable('hash', ''), 'acp_reasons'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'SELECT reason_order
FROM ' . REPORTS_REASONS_TABLE . "
WHERE reason_id = $reason_id";
@ -382,8 +387,8 @@ class acp_reasons
'U_EDIT' => $this->u_action . '&action=edit&id=' . $row['reason_id'],
'U_DELETE' => (!$other_reason) ? $this->u_action . '&action=delete&id=' . $row['reason_id'] : '',
'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'],
'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id'])
'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons'),
'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons'))
);
}
$db->sql_freeresult($result);

16
phpBB/includes/acp/acp_search.php
View File

@ -54,6 +54,13 @@ class acp_search
global $config, $phpbb_admin_path, $phpEx;
$submit = (isset($_POST['submit'])) ? true : false;
$form_key = 'acp_search';
add_form_key($form_key);
if ($submit && !check_form_key($form_key))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$search_types = $this->get_search_types();
@ -244,6 +251,15 @@ class acp_search
$this->state = array();
$this->save_state();
}
$submit = $request->is_set_post('submit', false);
$form_key = 'acp_search';
add_form_key($form_key);
if (!check_form_key($form_key) && in_array($action, array('delete', 'create')))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if ($action)
{

8
tests/functional/search/base.php
View File

@ -78,6 +78,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case
protected function create_search_index($backend = null)
{
$this->add_lang('acp/search');
$crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid);
$form_values = $crawler->selectButton('Delete index')->form()->getValues();
$crawler = self::request(
'POST',
'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid,
@ -85,6 +87,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case
'search_type' => ( ($backend === null) ? $this->search_backend : $backend ),
'action' => 'create',
'submit' => true,
'form_token' => $form_values['form_token'],
'creation_time' => $form_values['creation_time'],
)
);
$this->assertContainsLang('SEARCH_INDEX_CREATED', $crawler->text());
@ -93,6 +97,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case
protected function delete_search_index()
{
$this->add_lang('acp/search');
$crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid);
$form_values = $crawler->selectButton('Delete index')->form()->getValues();
$crawler = self::request(
'POST',
'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid,
@ -100,6 +106,8 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case
'search_type' => $this->search_backend,
'action' => 'delete',
'submit' => true,
'form_token' => $form_values['form_token'],
'creation_time' => $form_values['creation_time'],
)
);
$this->assertContainsLang('SEARCH_INDEX_REMOVED', $crawler->text());