From 59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20H=C3=B6=C3=9Fl?= Date: Mon, 12 Mar 2012 20:17:37 +0000 Subject: Some security against XSRF-attacks --- mod/profiles.php | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) (limited to 'mod/profiles.php') diff --git a/mod/profiles.php b/mod/profiles.php index ccd7d5474..b307a2d43 100755 --- a/mod/profiles.php +++ b/mod/profiles.php @@ -21,6 +21,9 @@ function profiles_post(&$a) { notice( t('Profile not found.') . EOL); return; } + + check_form_security_token_redirectOnErr('/profiles', 'profile_edit'); + $is_default = (($orig[0]['is-default']) ? 1 : 0); $profile_name = notags(trim($_POST['profile_name'])); @@ -240,6 +243,8 @@ function profiles_content(&$a) { goaway($a->get_baseurl() . '/profiles'); return; // NOTREACHED } + + check_form_security_token_redirectOnErr('/profiles', 'profile_drop', 't'); // move every contact using this profile as their default to the user default @@ -264,6 +269,8 @@ function profiles_content(&$a) { if(($a->argc > 1) && ($a->argv[1] === 'new')) { + + check_form_security_token_redirectOnErr('/profiles', 'profile_new', 't'); $r0 = q("SELECT `id` FROM `profile` WHERE `uid` = %d", intval(local_user())); @@ -291,10 +298,13 @@ function profiles_content(&$a) { info( t('New profile created.') . EOL); if(count($r3) == 1) goaway($a->get_baseurl() . '/profiles/' . $r3[0]['id']); + goaway($a->get_baseurl() . '/profiles'); - } + } if(($a->argc > 2) && ($a->argv[1] === 'clone')) { + + check_form_security_token_redirectOnErr('/profiles', 'profile_clone', 't'); $r0 = q("SELECT `id` FROM `profile` WHERE `uid` = %d", intval(local_user())); @@ -330,9 +340,11 @@ function profiles_content(&$a) { info( t('New profile created.') . EOL); if(count($r3) == 1) goaway($a->get_baseurl() . '/profiles/' . $r3[0]['id']); - goaway($a->get_baseurl() . '/profiles'); - return; // NOTREACHED - } + + goaway($a->get_baseurl() . '/profiles'); + + return; // NOTREACHED + } if(($a->argc > 1) && (intval($a->argv[1]))) { @@ -371,6 +383,9 @@ function profiles_content(&$a) { $is_default = (($r[0]['is-default']) ? 1 : 0); $tpl = get_markup_template("profile_edit.tpl"); $o .= replace_macros($tpl,array( + '$form_security_token' => get_form_security_token("profile_edit"), + '$profile_clone_link' => 'profiles/clone/' . $r[0]['id'] . '?t=' . get_form_security_token("profile_clone"), + '$profile_drop_link' => 'profiles/drop/' . $r[0]['id'] . '?t=' . get_form_security_token("profile_drop"), '$banner' => t('Edit Profile Details'), '$submit' => t('Submit'), '$viewprof' => t('View this profile'), @@ -460,7 +475,8 @@ function profiles_content(&$a) { $o .= replace_macros($tpl_header,array( '$header' => t('Edit/Manage Profiles'), '$chg_photo' => t('Change profile photo'), - '$cr_new' => t('Create New Profile') + '$cr_new' => t('Create New Profile'), + '$cr_new_link' => 'profiles/new?t=' . get_form_security_token("profile_new") )); -- cgit v1.2.3 From 110e8f29197e0824d555b82c05c31f36b87ab7ae Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 14 Mar 2012 21:20:20 -0700 Subject: basic ssl_policy for important modules --- mod/profiles.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'mod/profiles.php') diff --git a/mod/profiles.php b/mod/profiles.php index b307a2d43..7b3b6ccc1 100755 --- a/mod/profiles.php +++ b/mod/profiles.php @@ -240,7 +240,7 @@ function profiles_content(&$a) { ); if(! count($r)) { notice( t('Profile not found.') . EOL); - goaway($a->get_baseurl() . '/profiles'); + goaway($a->get_baseurl(true) . '/profiles'); return; // NOTREACHED } @@ -260,7 +260,7 @@ function profiles_content(&$a) { if($r) info( t('Profile deleted.') . EOL); - goaway($a->get_baseurl() . '/profiles'); + goaway($a->get_baseurl(true) . '/profiles'); return; // NOTREACHED } @@ -297,9 +297,9 @@ function profiles_content(&$a) { info( t('New profile created.') . EOL); if(count($r3) == 1) - goaway($a->get_baseurl() . '/profiles/' . $r3[0]['id']); + goaway($a->get_baseurl(true) . '/profiles/' . $r3[0]['id']); - goaway($a->get_baseurl() . '/profiles'); + goaway($a->get_baseurl(true) . '/profiles'); } if(($a->argc > 2) && ($a->argv[1] === 'clone')) { @@ -339,9 +339,9 @@ function profiles_content(&$a) { ); info( t('New profile created.') . EOL); if(count($r3) == 1) - goaway($a->get_baseurl() . '/profiles/' . $r3[0]['id']); + goaway($a->get_baseurl(true) . '/profiles/' . $r3[0]['id']); - goaway($a->get_baseurl() . '/profiles'); + goaway($a->get_baseurl(true) . '/profiles'); return; // NOTREACHED } @@ -373,7 +373,7 @@ function profiles_content(&$a) { )); - $a->page['htmlhead'] .= replace_macros($tpl, array('$baseurl' => $a->get_baseurl())); + $a->page['htmlhead'] .= replace_macros($tpl, array('$baseurl' => $a->get_baseurl(true))); $a->page['htmlhead'] .= ""; $f = get_config('system','birthday_input_format'); @@ -425,7 +425,7 @@ function profiles_content(&$a) { '$lbl_work' => t('Work/employment'), '$lbl_school' => t('School/education'), '$disabled' => (($is_default) ? 'onclick="return false;" style="color: #BBBBFF;"' : ''), - '$baseurl' => $a->get_baseurl(), + '$baseurl' => $a->get_baseurl(true), '$profile_id' => $r[0]['id'], '$profile_name' => $r[0]['profile-name'], '$default' => (($is_default) ? '

' . t('This is your public profile.
It may be visible to anybody using the internet.') . '

' : ""), @@ -489,7 +489,7 @@ function profiles_content(&$a) { '$alt' => t('Profile Image'), '$profile_name' => $rr['profile-name'], '$visible' => (($rr['is-default']) ? '' . t('visible to everybody') . '' - : '' . t('Edit visibility') . '') + : '' . t('Edit visibility') . '') )); } } -- cgit v1.2.3