From 59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20H=C3=B6=C3=9Fl?= Date: Mon, 12 Mar 2012 20:17:37 +0000 Subject: Some security against XSRF-attacks --- mod/settings.php | 61 ++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 22 deletions(-) (limited to 'mod/settings.php') diff --git a/mod/settings.php b/mod/settings.php index 2ef582fdf..f42fdb397 100755 --- a/mod/settings.php +++ b/mod/settings.php @@ -53,6 +53,8 @@ function settings_post(&$a) { $old_page_flags = $a->user['page-flags']; if(($a->argc > 1) && ($a->argv[1] === 'oauth') && x($_POST,'remove')){ + check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth'); + $key = $_POST['remove']; q("DELETE FROM tokens WHERE id='%s' AND uid=%d", dbesc($key), @@ -63,6 +65,8 @@ function settings_post(&$a) { if(($a->argc > 2) && ($a->argv[1] === 'oauth') && ($a->argv[2] === 'edit'||($a->argv[2] === 'add')) && x($_POST,'submit')) { + check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth'); + $name = ((x($_POST,'name')) ? $_POST['name'] : ''); $key = ((x($_POST,'key')) ? $_POST['key'] : ''); $secret = ((x($_POST,'secret')) ? $_POST['secret'] : ''); @@ -105,13 +109,18 @@ function settings_post(&$a) { } if(($a->argc > 1) && ($a->argv[1] == 'addon')) { + check_form_security_token_redirectOnErr('/settings/addon', 'settings_addon'); + call_hooks('plugin_settings_post', $_POST); return; } if(($a->argc > 1) && ($a->argv[1] == 'connectors')) { - - if(x($_POST['imap-submit'])) { + + check_form_security_token_redirectOnErr('/settings/connectors', 'settings_connectors'); + + if(x($_POST, 'imap-submit')) { + $mail_server = ((x($_POST,'mail_server')) ? $_POST['mail_server'] : ''); $mail_port = ((x($_POST,'mail_port')) ? $_POST['mail_port'] : ''); $mail_ssl = ((x($_POST,'mail_ssl')) ? strtolower(trim($_POST['mail_ssl'])) : ''); @@ -185,7 +194,8 @@ function settings_post(&$a) { return; } - + check_form_security_token_redirectOnErr('/settings', 'settings'); + call_hooks('settings_post', $_POST); if((x($_POST,'npassword')) || (x($_POST,'confirm'))) { @@ -460,6 +470,7 @@ function settings_content(&$a) { if(($a->argc > 2) && ($a->argv[2] === 'add')) { $tpl = get_markup_template("settings_oauth_edit.tpl"); $o .= replace_macros($tpl, array( + '$form_security_token' => get_form_security_token("settings_oauth"), '$tabs' => $tabs, '$title' => t('Add application'), '$submit' => t('Submit'), @@ -486,6 +497,7 @@ function settings_content(&$a) { $tpl = get_markup_template("settings_oauth_edit.tpl"); $o .= replace_macros($tpl, array( + '$form_security_token' => get_form_security_token("settings_oauth"), '$tabs' => $tabs, '$title' => t('Add application'), '$submit' => t('Update'), @@ -500,6 +512,8 @@ function settings_content(&$a) { } if(($a->argc > 3) && ($a->argv[2] === 'delete')) { + check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth', 't'); + $r = q("DELETE FROM clients WHERE client_id='%s' AND uid=%d", dbesc($a->argv[3]), local_user()); @@ -518,6 +532,7 @@ function settings_content(&$a) { $tpl = get_markup_template("settings_oauth.tpl"); $o .= replace_macros($tpl, array( + '$form_security_token' => get_form_security_token("settings_oauth"), '$baseurl' => $a->get_baseurl(), '$title' => t('Connected Apps'), '$add' => t('Add application'), @@ -544,6 +559,7 @@ function settings_content(&$a) { $tpl = get_markup_template("settings_addons.tpl"); $o .= replace_macros($tpl, array( + '$form_security_token' => get_form_security_token("settings_addons"), '$title' => t('Plugin Settings'), '$tabs' => $tabs, '$settings_addons' => $settings_addons @@ -586,28 +602,28 @@ function settings_content(&$a) { $tpl = get_markup_template("settings_connectors.tpl"); $o .= replace_macros($tpl, array( + '$form_security_token' => get_form_security_token("settings_connectors"), + '$title' => t('Connector Settings'), '$tabs' => $tabs, - '$diasp_enabled' => $diasp_enabled, - '$ostat_enabled' => $ostat_enabled, - - '$h_imap' => t('Email/Mailbox Setup'), - '$imap_desc' => t("If you wish to communicate with email contacts using this service \x28optional\x29, please specify how to connect to your mailbox."), - '$imap_lastcheck' => array('imap_lastcheck', t('Last successful email check:'), $mail_chk,''), - '$mail_disabled' => (($mail_disabled) ? t('Email access is disabled on this site.') : ''), - '$mail_server' => array('mail_server', t('IMAP server name:'), $mail_server, ''), - '$mail_port' => array('mail_port', t('IMAP port:'), $mail_port, ''), - '$mail_ssl' => array('mail_ssl', t('Security:'), strtoupper($mail_ssl), '', array( ''=>t('None'), 'TLS'=>'TLS', 'SSL'=>'SSL')), - '$mail_user' => array('mail_user', t('Email login name:'), $mail_user, ''), - '$mail_pass' => array('mail_pass', t('Email password:'), '', ''), - '$mail_replyto' => array('mail_replyto', t('Reply-to address:'), '', 'Optional'), - '$mail_pubmail' => array('mail_pubmail', t('Send public posts to all email contacts:'), $mail_pubmail, ''), - '$mail_action' => array('mail_action', t('Action after import:'), $mail_action, '', array(0=>t('None'), 1=>t('Delete'), 2=>t('Mark as seen'), 3=>t('Move to folder'))), - '$mail_movetofolder' => array('mail_movetofolder', t('Move to folder:'), $mail_movetofolder, ''), - '$submit' => t('Submit'), - - + '$diasp_enabled' => $diasp_enabled, + '$ostat_enabled' => $ostat_enabled, + + '$h_imap' => t('Email/Mailbox Setup'), + '$imap_desc' => t("If you wish to communicate with email contacts using this service \x28optional\x29, please specify how to connect to your mailbox."), + '$imap_lastcheck' => array('imap_lastcheck', t('Last successful email check:'), $mail_chk,''), + '$mail_disabled' => (($mail_disabled) ? t('Email access is disabled on this site.') : ''), + '$mail_server' => array('mail_server', t('IMAP server name:'), $mail_server, ''), + '$mail_port' => array('mail_port', t('IMAP port:'), $mail_port, ''), + '$mail_ssl' => array('mail_ssl', t('Security:'), strtoupper($mail_ssl), '', array( ''=>t('None'), 'TLS'=>'TLS', 'SSL'=>'SSL')), + '$mail_user' => array('mail_user', t('Email login name:'), $mail_user, ''), + '$mail_pass' => array('mail_pass', t('Email password:'), '', ''), + '$mail_replyto' => array('mail_replyto', t('Reply-to address:'), '', 'Optional'), + '$mail_pubmail' => array('mail_pubmail', t('Send public posts to all email contacts:'), $mail_pubmail, ''), + '$mail_action' => array('mail_action', t('Action after import:'), $mail_action, '', array(0=>t('None'), 1=>t('Delete'), 2=>t('Mark as seen'), 3=>t('Move to folder'))), + '$mail_movetofolder' => array('mail_movetofolder', t('Move to folder:'), $mail_movetofolder, ''), + '$submit' => t('Submit'), '$settings_connectors' => $settings_connectors )); @@ -805,6 +821,7 @@ function settings_content(&$a) { '$submit' => t('Submit'), '$baseurl' => $a->get_baseurl(), '$uid' => local_user(), + '$form_security_token' => get_form_security_token("settings"), '$nickname_block' => $prof_addr, -- cgit v1.2.3 From 7e270b043c07878d52c2c0a156b2ee1b1b787ced Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 13 Mar 2012 23:52:13 -0700 Subject: addon settings form error --- mod/settings.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mod/settings.php') diff --git a/mod/settings.php b/mod/settings.php index f42fdb397..15fd0c352 100755 --- a/mod/settings.php +++ b/mod/settings.php @@ -559,7 +559,7 @@ function settings_content(&$a) { $tpl = get_markup_template("settings_addons.tpl"); $o .= replace_macros($tpl, array( - '$form_security_token' => get_form_security_token("settings_addons"), + '$form_security_token' => get_form_security_token("settings_addon"), '$title' => t('Plugin Settings'), '$tabs' => $tabs, '$settings_addons' => $settings_addons -- cgit v1.2.3 From 110e8f29197e0824d555b82c05c31f36b87ab7ae Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 14 Mar 2012 21:20:20 -0700 Subject: basic ssl_policy for important modules --- mod/settings.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'mod/settings.php') diff --git a/mod/settings.php b/mod/settings.php index 15fd0c352..f694b5840 100755 --- a/mod/settings.php +++ b/mod/settings.php @@ -59,7 +59,7 @@ function settings_post(&$a) { q("DELETE FROM tokens WHERE id='%s' AND uid=%d", dbesc($key), local_user()); - goaway($a->get_baseurl()."/settings/oauth/"); + goaway($a->get_baseurl(true)."/settings/oauth/"); return; } @@ -104,7 +104,7 @@ function settings_post(&$a) { local_user()); } } - goaway($a->get_baseurl()."/settings/oauth/"); + goaway($a->get_baseurl(true)."/settings/oauth/"); return; } @@ -411,7 +411,7 @@ function settings_post(&$a) { } - goaway($a->get_baseurl() . '/settings' ); + goaway($a->get_baseurl(true) . '/settings' ); return; // NOTREACHED } @@ -435,27 +435,27 @@ function settings_content(&$a) { $tabs = array( array( 'label' => t('Account settings'), - 'url' => $a->get_baseurl().'/settings', + 'url' => $a->get_baseurl(true).'/settings', 'sel' => (($a->argc == 1)?'active':''), ), array( 'label' => t('Connector settings'), - 'url' => $a->get_baseurl().'/settings/connectors', + 'url' => $a->get_baseurl(true).'/settings/connectors', 'sel' => (($a->argc > 1) && ($a->argv[1] === 'connectors')?'active':''), ), array( 'label' => t('Plugin settings'), - 'url' => $a->get_baseurl().'/settings/addon', + 'url' => $a->get_baseurl(true).'/settings/addon', 'sel' => (($a->argc > 1) && ($a->argv[1] === 'addon')?'active':''), ), array( 'label' => t('Connections'), - 'url' => $a->get_baseurl() . '/settings/oauth', + 'url' => $a->get_baseurl(true) . '/settings/oauth', 'sel' => (($a->argc > 1) && ($a->argv[1] === 'oauth')?'active':''), ), array( 'label' => t('Export personal data'), - 'url' => $a->get_baseurl() . '/uexport', + 'url' => $a->get_baseurl(true) . '/uexport', 'sel' => '' ) ); @@ -517,7 +517,7 @@ function settings_content(&$a) { $r = q("DELETE FROM clients WHERE client_id='%s' AND uid=%d", dbesc($a->argv[3]), local_user()); - goaway($a->get_baseurl()."/settings/oauth/"); + goaway($a->get_baseurl(true)."/settings/oauth/"); return; } @@ -533,7 +533,7 @@ function settings_content(&$a) { $tpl = get_markup_template("settings_oauth.tpl"); $o .= replace_macros($tpl, array( '$form_security_token' => get_form_security_token("settings_oauth"), - '$baseurl' => $a->get_baseurl(), + '$baseurl' => $a->get_baseurl(true), '$title' => t('Connected Apps'), '$add' => t('Add application'), '$edit' => t('Edit'), @@ -789,7 +789,7 @@ function settings_content(&$a) { $theme_selected = (!x($_SESSION,'theme')? $default_theme : $_SESSION['theme']); - $subdir = ((strlen($a->get_path())) ? '
' . t('or') . ' ' . $a->get_baseurl() . '/profile/' . $nickname : ''); + $subdir = ((strlen($a->get_path())) ? '
' . t('or') . ' ' . $a->get_baseurl(true) . '/profile/' . $nickname : ''); $tpl_addr = get_markup_template("settings_nick_set.tpl"); @@ -819,7 +819,7 @@ function settings_content(&$a) { '$ptitle' => t('Account Settings'), '$submit' => t('Submit'), - '$baseurl' => $a->get_baseurl(), + '$baseurl' => $a->get_baseurl(true), '$uid' => local_user(), '$form_security_token' => get_form_security_token("settings"), -- cgit v1.2.3 From 82f2bfea5bbf7c35450eb8fe9ee119e0b00d3d61 Mon Sep 17 00:00:00 2001 From: friendica Date: Fri, 16 Mar 2012 16:05:16 -0700 Subject: convert boolean or int settings to strings to work around issues with template processing --- mod/settings.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'mod/settings.php') diff --git a/mod/settings.php b/mod/settings.php index f694b5840..3a8ad29d2 100755 --- a/mod/settings.php +++ b/mod/settings.php @@ -652,20 +652,20 @@ function settings_content(&$a) { $blocktags = $a->user['blocktags']; $expire_items = get_pconfig(local_user(), 'expire','items'); - $expire_items = (($expire_items===false)?1:$expire_items); // default if not set: 1 + $expire_items = (($expire_items===false)? '1' : $expire_items); // default if not set: 1 $expire_notes = get_pconfig(local_user(), 'expire','notes'); - $expire_notes = (($expire_notes===false)?1:$expire_notes); // default if not set: 1 + $expire_notes = (($expire_notes===false)? '1' : $expire_notes); // default if not set: 1 $expire_starred = get_pconfig(local_user(), 'expire','starred'); - $expire_starred = (($expire_starred===false)?1:$expire_starred); // default if not set: 1 + $expire_starred = (($expire_starred===false)? '1' : $expire_starred); // default if not set: 1 $expire_photos = get_pconfig(local_user(), 'expire','photos'); - $expire_photos = (($expire_photos===false)?0:$expire_photos); // default if not set: 0 + $expire_photos = (($expire_photos===false)? '0' : $expire_photos); // default if not set: 0 $suggestme = get_pconfig(local_user(), 'system','suggestme'); - $suggestme = (($suggestme===false)?0:$suggestme); // default if not set: 0 + $suggestme = (($suggestme===false)? '0': $suggestme); // default if not set: 0 $browser_update = intval(get_pconfig(local_user(), 'system','update_interval')); $browser_update = (($browser_update == 0) ? 40 : $browser_update / 1000); // default if not set: 40 seconds @@ -736,13 +736,13 @@ function settings_content(&$a) { )); $blockwall = replace_macros($opt_tpl,array( - '$field' => array('blockwall', t('Allow friends to post to your profile page?'), ! $a->user['blockwall'], '', array(t('No'),t('Yes'))), + '$field' => array('blockwall', t('Allow friends to post to your profile page?'), (intval($a->user['blockwall']) ? '0' : '1'), '', array(t('No'),t('Yes'))), )); $blocktags = replace_macros($opt_tpl,array( - '$field' => array('blocktags', t('Allow friends to tag your posts?'), ! $a->user['blocktags'], '', array(t('No'),t('Yes'))), + '$field' => array('blocktags', t('Allow friends to tag your posts?'), (intval($a->user['blocktags']) ? '0' : '1'), '', array(t('No'),t('Yes'))), )); -- cgit v1.2.3