mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-30 21:40:43 +02:00
Code Issues Releases Wiki Activity

[ticket/security/244] Add form token check to plupload

Browse Source 
SECURTIY-244
This commit is contained in:
Marc Alexander
2019-06-30 22:40:34 +02:00
parent 525c940385
commit 56477a8f7c
4 changed files with 52 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
phpBB/assets/javascript/plupload.js
View File

@@ -90,6 +90,12 @@ phpbb.plupload.getSerializedData = function() {
obj['attachment_data[' + i + '][' + key + ']'] = datum[key];
}
}
// Insert form data
var $pluploadForm = $(phpbb.plupload.config.form_hook).first();
obj.creation_time = $pluploadForm.find('input[type=hidden][name="creation_time"]').val();
obj.form_token = $pluploadForm.find('input[type=hidden][name="form_token"]').val();
return obj;
};
@@ -264,6 +270,17 @@ phpbb.plupload.deleteFile = function(row, attachId) {
return;
}
// Handle errors while deleting file
if (typeof response.error !== 'undefined') {
phpbb.alert(phpbb.plupload.lang.ERROR, response.error.message);
// We will have to assume that the deletion failed. So leave the file status as uploaded.
row.find('.file-status').toggleClass('file-uploaded');
return;
}
phpbb.plupload.update(response, 'removal', index);
// Check if the user can upload files now if he had reached the max files limit.
phpbb.plupload.handleMaxFilesReached();