mirror of
https://github.com/Mibew/tray.git
synced 2025-01-22 18:10:34 +03:00
format the code; remove comments in the client code; move csrfchecktoken() right after check_login()
Conflicts: src/messenger/webim/libs/common.php src/messenger/webim/operator/canned.php src/messenger/webim/operator/cannededit.php src/messenger/webim/operator/operators.php src/messenger/webim/operator/settings.php src/messenger/webim/operator/translate.php
This commit is contained in:
Evgeny Gryaznov
Dmitriy Simushev
parent
3a337c3137
commit
214e52e5c2
@ -766,18 +766,19 @@ function jspath()
|
||||
}
|
||||
|
||||
/* authorization token check for CSRF attack */
|
||||
function csrfchecktoken(){
|
||||
function csrfchecktoken()
|
||||
{
|
||||
setcsrftoken();
|
||||
|
||||
// check the turing code for post requests and del requests
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||||
//if token match
|
||||
if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){
|
||||
if (!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])) {
|
||||
|
||||
die("CSRF failure");
|
||||
}
|
||||
} else if(isset($_GET['act'])){
|
||||
if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
|
||||
} else if (isset($_GET['act'])) {
|
||||
if (($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']) {
|
||||
|
||||
die("CSRF failure");
|
||||
}
|
||||
@ -785,23 +786,26 @@ function csrfchecktoken(){
|
||||
}
|
||||
|
||||
/* print csrf token as a hidden field*/
|
||||
function print_csrf_token_input(){
|
||||
function print_csrf_token_input()
|
||||
{
|
||||
setcsrftoken();
|
||||
|
||||
echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
|
||||
echo "<input name='csrf_token' type='hidden' value='" . $_SESSION['csrf_token'] . "' />";
|
||||
}
|
||||
|
||||
/* print csrf token in url format */
|
||||
function print_csrf_token_in_url(){
|
||||
function print_csrf_token_in_url()
|
||||
{
|
||||
setcsrftoken();
|
||||
|
||||
echo "&csrf_token=".$_SESSION['csrf_token'];
|
||||
echo "&csrf_token=" . $_SESSION['csrf_token'];
|
||||
}
|
||||
|
||||
/* set csrf token */
|
||||
function setcsrftoken(){
|
||||
if(!isset($_SESSION['csrf_token'])){
|
||||
$_SESSION['csrf_token']=sha1(rand(10000000,99999999));
|
||||
function setcsrftoken()
|
||||
{
|
||||
if (!isset($_SESSION['csrf_token'])) {
|
||||
$_SESSION['csrf_token'] = sha1(rand(10000000, 99999999));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -23,9 +23,8 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/operator_settings.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
csrfchecktoken();
|
||||
|
||||
$opId = verifyparam("op", "/^\d{1,9}$/");
|
||||
$page = array('opid' => $opId, 'avatar' => '');
|
||||
|
||||
@ -26,10 +26,9 @@ require_once('../libs/settings.php');
|
||||
require_once('../libs/groups.php');
|
||||
require_once('../libs/pagination.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
force_password($operator);
|
||||
csrfchecktoken();
|
||||
|
||||
loadsettings();
|
||||
|
||||
|
||||
@ -24,9 +24,8 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/pagination.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
csrfchecktoken();
|
||||
loadsettings();
|
||||
|
||||
$stringid = verifyparam("key", "/^\d{0,9}$/", "");
|
||||
|
||||
@ -23,9 +23,8 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/settings.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
csrfchecktoken();
|
||||
|
||||
$page = array('agentId' => '');
|
||||
$errors = array();
|
||||
|
||||
@ -23,9 +23,8 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/operator_settings.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
csrfchecktoken();
|
||||
|
||||
$page = array('opid' => '');
|
||||
$errors = array();
|
||||
|
||||
@ -22,11 +22,9 @@
|
||||
require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
force_password($operator);
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
if (isset($_GET['act'])) {
|
||||
|
||||
|
||||
@ -23,9 +23,8 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/settings.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
csrfchecktoken();
|
||||
|
||||
$page = array('agentId' => '');
|
||||
$errors = array();
|
||||
|
||||
@ -23,8 +23,8 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/operator_settings.php');
|
||||
|
||||
csrfchecktoken();
|
||||
$operator = check_login();
|
||||
csrfchecktoken();
|
||||
|
||||
function update_operator_permissions($operatorid, $newvalue)
|
||||
{
|
||||
|
||||
@ -24,10 +24,9 @@ require_once('../libs/operator.php');
|
||||
require_once('../libs/settings.php');
|
||||
require_once('../libs/styles.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$operator = check_login();
|
||||
force_password($operator);
|
||||
csrfchecktoken();
|
||||
|
||||
$page = array('agentId' => '');
|
||||
$errors = array();
|
||||
|
||||
@ -23,8 +23,6 @@ require_once('../libs/common.php');
|
||||
require_once('../libs/operator.php');
|
||||
require_once('../libs/pagination.php');
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
function compare_localization_by_l1($a, $b)
|
||||
{
|
||||
if ($a == $b) {
|
||||
@ -122,7 +120,7 @@ function get_auxiliary($s)
|
||||
|
||||
$operator = check_login();
|
||||
force_password($operator);
|
||||
|
||||
csrfchecktoken();
|
||||
|
||||
$source = verifyparam("source", "/^[\w-]{2,5}$/", $default_locale);
|
||||
$target = verifyparam("target", "/^[\w-]{2,5}$/", $current_locale);
|
||||
|
||||
@ -50,10 +50,7 @@ require_once('inc_errors.php');
|
||||
|
||||
<?php if( $page['opid'] || $page['canmodify'] ) { ?>
|
||||
<form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php">
|
||||
|
||||
<!-- add auth token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/>
|
||||
<div>
|
||||
<?php if(!$page['needChangePassword']) { print_tabbar(); } ?>
|
||||
|
||||
@ -36,10 +36,7 @@ require_once('inc_errors.php');
|
||||
?>
|
||||
|
||||
<form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
|
||||
|
||||
<!-- add csrf token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
|
||||
<div>
|
||||
<?php print_tabbar(); ?>
|
||||
|
||||
@ -44,10 +44,7 @@ require_once('inc_errors.php');
|
||||
?>
|
||||
|
||||
<form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php">
|
||||
|
||||
<!-- add auth token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
|
||||
<?php if(!$page['key']) { ?>
|
||||
<input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/>
|
||||
|
||||
@ -85,10 +85,7 @@ require_once('inc_errors.php');
|
||||
<?php } ?>
|
||||
|
||||
<form name="features" method="post" action="<?php echo $webimroot ?>/operator/features.php">
|
||||
|
||||
<!-- add auth token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<input type="hidden" name="sent" value="true"/>
|
||||
<div>
|
||||
<?php print_tabbar(); ?>
|
||||
|
||||
@ -39,10 +39,7 @@ require_once('inc_errors.php');
|
||||
<?php } ?>
|
||||
|
||||
<form name="performance" method="post" action="<?php echo $webimroot ?>/operator/performance.php">
|
||||
|
||||
<!-- add auth token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<div>
|
||||
<?php print_tabbar(); ?>
|
||||
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
|
||||
|
||||
@ -39,10 +39,7 @@ require_once('inc_errors.php');
|
||||
<?php } ?>
|
||||
|
||||
<form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php">
|
||||
|
||||
<!-- add csrf token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
|
||||
<div>
|
||||
<?php print_tabbar(); ?>
|
||||
|
||||
@ -39,10 +39,7 @@ require_once('inc_errors.php');
|
||||
<?php } ?>
|
||||
|
||||
<form name="settings" method="post" action="<?php echo $webimroot ?>/operator/settings.php">
|
||||
|
||||
<!-- add auth token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<div>
|
||||
<?php print_tabbar(); ?>
|
||||
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
|
||||
|
||||
@ -44,10 +44,7 @@ require_once('inc_errors.php');
|
||||
?>
|
||||
|
||||
<form name="translateForm" method="post" action="<?php echo $webimroot ?>/operator/translate.php">
|
||||
|
||||
<!-- add auth token -->
|
||||
<?php print_csrf_token_input() ?>
|
||||
|
||||
<input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
|
||||
<input type="hidden" name="target" value="<?php echo $page['target'] ?>"/>
|
||||
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user