Project

General

Profile

« Previous | Next » 

Revision 1395

Added by FrankH almost 14 years ago

  1. Security fix in admin/addons

View differences:

branches/2.8.x/CHANGELOG
11 11
! = Update/Change
12 12

  
13 13
------------------------------------- 2.8.2 -------------------------------------
14
17 Jan-2011 Build 1395 Frank Heyne (FrankH)
15
# Security fix in admin/addons
14 16
16 Jan-2011 Build 1394 Dietmar Woellbrink (Luisehahne)
15 17
! set construct to FRONTEND class.wb
16 18
! set 2.8.2 to RC5
branches/2.8.x/wb/admin/interface/version.php
52 52

  
53 53
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54 54
if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
55
if(!defined('REVISION')) define('REVISION', '1394');
55
if(!defined('REVISION')) define('REVISION', '1395');
56 56

  
57 57
?>
branches/2.8.x/wb/admin/addons/reload.php
36 36
$admin = new admin('Admintools', 'admintools', false, false);
37 37
if ($admin->get_permission('admintools') == false) die(header('Location: ../../index.php'));
38 38

  
39
if (!$admin->checkFTAN())
40
{
41
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL);
42
	exit();
43
}
44

  
39 45
// check if the referer URL if available
40 46
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 
41 47
	(isset($HTTP_SERVER_VARS['HTTP_REFERER']) ? $HTTP_SERVER_VARS['HTTP_REFERER'] : '');
branches/2.8.x/wb/admin/addons/index.php
73 73
                ? '<a href="' . ADMIN_URL . '/addons/index.php?advanced">' . $TEXT['ADVANCED'] . '</a>' : '',
74 74
	'ADVANCED_URL' => $admin->get_permission('admintools') ? ADMIN_URL . '/addons/index.php' : '',
75 75
    'TEXT_ADVANCED' => $TEXT['ADVANCED'],
76

  
76
	'FTAN'			=> $admin->getFTAN()
77 77
	)
78 78
);
79 79

  
branches/2.8.x/wb/templates/wb_theme/templates/addons.htt
48 48
		<tr>
49 49
			<td class="description">
50 50
				<form action="{RELOAD_URL}" method="post">
51
				{FTAN}
51 52
				{MESSAGE_RELOAD_ADDONS}<br style="margin-bottom: 0.5em" />
52 53
				<input {DISPLAY_MODULES} type="checkbox" name="reload_modules" id="reload_modules" value="true" />
53 54
				<label {DISPLAY_MODULES} for="reload_modules">{MODULES}</label>
branches/2.8.x/wb/templates/argos_theme/templates/addons.htt
39 39
					<td class="graphic" align="center" valign="middle" rowspan="2"><img src="{THEME_URL}/icons/admintools.png" alt="{TXT_ADMIN_SETTINGS}" /> </td>
40 40
					<td class="description" valign="top"><span class="title">{TXT_ADMIN_SETTINGS}</span>
41 41
						<form action="{RELOAD_URL}" method="post">
42
						{FTAN}
42 43
							{MESSAGE_RELOAD_ADDONS}
43 44
							<br style="margin-bottom: 0.5em" />
44 45
							<input {DISPLAY_MODULES} type="checkbox" name="reload_modules" id="reload_modules" value="true" />
branches/2.8.x/wb/modules/edit_module_files.php
115 115

  
116 116
		// output content of module file to textareas
117 117
	?>
118
		<form name="edit_module_file" action="<?php echo $_SERVER['PHP_SELF'];?>" method="post" style="margin: 0;">
118
		<form name="edit_module_file" action="<?php echo $_SERVER['SCRIPT_NAME'];?>" method="post" style="margin: 0;">
119 119
	  	<input type="hidden" name="page_id" value="<?php echo $page_id; ?>" />
120 120
	  	<input type="hidden" name="section_id" value="<?php echo $section_id; ?>" />
121 121
	  	<input type="hidden" name="mod_dir" value="<?php echo $mod_dir; ?>" />
branches/2.8.x/wb/modules/news/submit_comment.php
52 52

  
53 53
	$comment = $wb->add_slashes(strip_tags($comment));
54 54
	$title = $wb->add_slashes(strip_tags($_POST['title']));
55
	// do not allow droplets in user input!
56
	$title = str_replace(array("[[", "]]"), array("&#91;&#91;", "&#93;&#93;"), $title);
57
	$comment = str_replace(array("[[", "]]"), array("&#91;&#91;", "&#93;&#93;"), $comment);
55 58
	$page_id = $_GET['page_id'];
56 59
	$section_id = $_GET['section_id'];
57 60
	$post_id = $_GET['post_id'];

Also available in: Unified diff