From 59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20H=C3=B6=C3=9Fl?= <tobias@hoessl.eu>
Date: Mon, 12 Mar 2012 20:17:37 +0000
Subject: Some security against XSRF-attacks

---
 mod/settings.php | 61 ++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 39 insertions(+), 22 deletions(-)

(limited to 'mod/settings.php')

diff --git a/mod/settings.php b/mod/settings.php
index 2ef582fdf..f42fdb397 100755
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -53,6 +53,8 @@ function settings_post(&$a) {
 	$old_page_flags = $a->user['page-flags'];
 
 	if(($a->argc > 1) && ($a->argv[1] === 'oauth') && x($_POST,'remove')){
+		check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
+		
 		$key = $_POST['remove'];
 		q("DELETE FROM tokens WHERE id='%s' AND uid=%d",
 			dbesc($key),
@@ -63,6 +65,8 @@ function settings_post(&$a) {
 
 	if(($a->argc > 2) && ($a->argv[1] === 'oauth')  && ($a->argv[2] === 'edit'||($a->argv[2] === 'add')) && x($_POST,'submit')) {
 		
+		check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
+		
 		$name   	= ((x($_POST,'name')) ? $_POST['name'] : '');
 		$key		= ((x($_POST,'key')) ? $_POST['key'] : '');
 		$secret		= ((x($_POST,'secret')) ? $_POST['secret'] : '');
@@ -105,13 +109,18 @@ function settings_post(&$a) {
 	}
 
 	if(($a->argc > 1) && ($a->argv[1] == 'addon')) {
+		check_form_security_token_redirectOnErr('/settings/addon', 'settings_addon');
+		
 		call_hooks('plugin_settings_post', $_POST);
 		return;
 	}
 
 	if(($a->argc > 1) && ($a->argv[1] == 'connectors')) {
-
-		if(x($_POST['imap-submit'])) {
+		
+		check_form_security_token_redirectOnErr('/settings/connectors', 'settings_connectors');
+		
+		if(x($_POST, 'imap-submit')) {
+			
 			$mail_server       = ((x($_POST,'mail_server')) ? $_POST['mail_server'] : '');
 			$mail_port         = ((x($_POST,'mail_port')) ? $_POST['mail_port'] : '');
 			$mail_ssl          = ((x($_POST,'mail_ssl')) ? strtolower(trim($_POST['mail_ssl'])) : '');
@@ -185,7 +194,8 @@ function settings_post(&$a) {
 		return;
 	}
 
-
+	check_form_security_token_redirectOnErr('/settings', 'settings');
+	
 	call_hooks('settings_post', $_POST);
 
 	if((x($_POST,'npassword')) || (x($_POST,'confirm'))) {
@@ -460,6 +470,7 @@ function settings_content(&$a) {
 		if(($a->argc > 2) && ($a->argv[2] === 'add')) {
 			$tpl = get_markup_template("settings_oauth_edit.tpl");
 			$o .= replace_macros($tpl, array(
+				'$form_security_token' => get_form_security_token("settings_oauth"),
 				'$tabs'		=> $tabs,
 				'$title'	=> t('Add application'),
 				'$submit'	=> t('Submit'),
@@ -486,6 +497,7 @@ function settings_content(&$a) {
 			
 			$tpl = get_markup_template("settings_oauth_edit.tpl");
 			$o .= replace_macros($tpl, array(
+				'$form_security_token' => get_form_security_token("settings_oauth"),
 				'$tabs'		=> $tabs,
 				'$title'	=> t('Add application'),
 				'$submit'	=> t('Update'),
@@ -500,6 +512,8 @@ function settings_content(&$a) {
 		}
 		
 		if(($a->argc > 3) && ($a->argv[2] === 'delete')) {
+			check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth', 't');
+		
 			$r = q("DELETE FROM clients WHERE client_id='%s' AND uid=%d",
 					dbesc($a->argv[3]),
 					local_user());
@@ -518,6 +532,7 @@ function settings_content(&$a) {
 		
 		$tpl = get_markup_template("settings_oauth.tpl");
 		$o .= replace_macros($tpl, array(
+			'$form_security_token' => get_form_security_token("settings_oauth"),
 			'$baseurl'	=> $a->get_baseurl(),
 			'$title'	=> t('Connected Apps'),
 			'$add'		=> t('Add application'),
@@ -544,6 +559,7 @@ function settings_content(&$a) {
 		
 		$tpl = get_markup_template("settings_addons.tpl");
 		$o .= replace_macros($tpl, array(
+			'$form_security_token' => get_form_security_token("settings_addons"),
 			'$title'	=> t('Plugin Settings'),
 			'$tabs'		=> $tabs,
 			'$settings_addons' => $settings_addons
@@ -586,28 +602,28 @@ function settings_content(&$a) {
 
 	$tpl = get_markup_template("settings_connectors.tpl");
 		$o .= replace_macros($tpl, array(
+			'$form_security_token' => get_form_security_token("settings_connectors"),
+			
 			'$title'	=> t('Connector Settings'),
 			'$tabs'		=> $tabs,
 
-		'$diasp_enabled' => $diasp_enabled,
-		'$ostat_enabled' => $ostat_enabled,
-
-		'$h_imap' => t('Email/Mailbox Setup'),
-		'$imap_desc' => t("If you wish to communicate with email contacts using this service \x28optional\x29, please specify how to connect to your mailbox."),
-		'$imap_lastcheck' => array('imap_lastcheck', t('Last successful email check:'), $mail_chk,''),
-		'$mail_disabled' => (($mail_disabled) ? t('Email access is disabled on this site.') : ''),
-		'$mail_server'	=> array('mail_server',  t('IMAP server name:'), $mail_server, ''),
-		'$mail_port'	=> array('mail_port', 	 t('IMAP port:'), $mail_port, ''),
-		'$mail_ssl'		=> array('mail_ssl', 	 t('Security:'), strtoupper($mail_ssl), '', array( ''=>t('None'), 'TLS'=>'TLS', 'SSL'=>'SSL')),
-		'$mail_user'	=> array('mail_user',    t('Email login name:'), $mail_user, ''),
-		'$mail_pass'	=> array('mail_pass', 	 t('Email password:'), '', ''),
-		'$mail_replyto'	=> array('mail_replyto', t('Reply-to address:'), '', 'Optional'),
-		'$mail_pubmail'	=> array('mail_pubmail', t('Send public posts to all email contacts:'), $mail_pubmail, ''),
-		'$mail_action'	=> array('mail_action',	 t('Action after import:'), $mail_action, '', array(0=>t('None'), 1=>t('Delete'), 2=>t('Mark as seen'), 3=>t('Move to folder'))),
-		'$mail_movetofolder'	=> array('mail_movetofolder',	 t('Move to folder:'), $mail_movetofolder, ''),
-		'$submit' => t('Submit'),
-
-
+			'$diasp_enabled' => $diasp_enabled,
+			'$ostat_enabled' => $ostat_enabled,
+
+			'$h_imap' => t('Email/Mailbox Setup'),
+			'$imap_desc' => t("If you wish to communicate with email contacts using this service \x28optional\x29, please specify how to connect to your mailbox."),
+			'$imap_lastcheck' => array('imap_lastcheck', t('Last successful email check:'), $mail_chk,''),
+			'$mail_disabled' => (($mail_disabled) ? t('Email access is disabled on this site.') : ''),
+			'$mail_server'	=> array('mail_server',  t('IMAP server name:'), $mail_server, ''),
+			'$mail_port'	=> array('mail_port', 	 t('IMAP port:'), $mail_port, ''),
+			'$mail_ssl'		=> array('mail_ssl', 	 t('Security:'), strtoupper($mail_ssl), '', array( ''=>t('None'), 'TLS'=>'TLS', 'SSL'=>'SSL')),
+			'$mail_user'	=> array('mail_user',    t('Email login name:'), $mail_user, ''),
+			'$mail_pass'	=> array('mail_pass', 	 t('Email password:'), '', ''),
+			'$mail_replyto'	=> array('mail_replyto', t('Reply-to address:'), '', 'Optional'),
+			'$mail_pubmail'	=> array('mail_pubmail', t('Send public posts to all email contacts:'), $mail_pubmail, ''),
+			'$mail_action'	=> array('mail_action',	 t('Action after import:'), $mail_action, '', array(0=>t('None'), 1=>t('Delete'), 2=>t('Mark as seen'), 3=>t('Move to folder'))),
+			'$mail_movetofolder'	=> array('mail_movetofolder',	 t('Move to folder:'), $mail_movetofolder, ''),
+			'$submit' => t('Submit'),
 
 			'$settings_connectors' => $settings_connectors
 		));
@@ -805,6 +821,7 @@ function settings_content(&$a) {
 		'$submit' 	=> t('Submit'),
 		'$baseurl' => $a->get_baseurl(),
 		'$uid' => local_user(),
+		'$form_security_token' => get_form_security_token("settings"),
 		
 		'$nickname_block' => $prof_addr,
 		
-- 
cgit v1.2.3