Adds XSRF protection to the Profile module.

author Vincent Zanotti <vincent.zanotti@polytechnique.org>

Mon, 30 Jun 2008 00:29:30 +0000 (02:29 +0200)

committer Vincent Zanotti <vincent.zanotti@polytechnique.org>

Mon, 30 Jun 2008 00:34:58 +0000 (02:34 +0200)
author Vincent Zanotti <vincent.zanotti@polytechnique.org>
Mon, 30 Jun 2008 00:29:30 +0000 (02:29 +0200)
committer Vincent Zanotti <vincent.zanotti@polytechnique.org>
Mon, 30 Jun 2008 00:34:58 +0000 (02:34 +0200)
diff --git a/classes/plwizard.php b/classes/plwizard.php

index 3667268..fecf881 100644 (file)
--- a/classes/plwizard.php
+++ b/classes/plwizard.php
@@ -151,6 +151,8 @@ class PlWizard
  
          // Process the previous page
          if (Post::has('valid_page')) {
+            S::assert_xsrf_token();
+
              $page = $this->getPage(Post::i('valid_page'));
              $curpage = Post::i('valid_page');
              $next = $page->process();
diff --git a/modules/profile.php b/modules/profile.php

index cbe11bb..f663dc1 100644 (file)
--- a/modules/profile.php
+++ b/modules/profile.php
@@ -133,6 +133,8 @@ class ProfileModule extends PLModule
                      .'/'.S::v('forlife').'.jpg';
  
          if (Env::has('upload')) {
+            S::assert_xsrf_token();
+
              $upload = new PlUpload(S::v('forlife'), 'photo');
              if (!$upload->upload($_FILES['userfile']) && !$upload->download(Env::v('photo'))) {
                  $page->trigError('Une erreur est survenue lors du téléchargement du fichier');
@@ -143,6 +145,8 @@ class ProfileModule extends PLModule
                  }
              }
          } elseif (Env::has('trombi')) {
+            S::assert_xsrf_token();
+
              $upload = new PlUpload(S::v('forlife'), 'photo');
              if ($upload->copyFrom($trombi_x)) {
                  $myphoto = new PhotoReq(S::v('uid'), $upload);
@@ -152,6 +156,8 @@ class ProfileModule extends PLModule
                  }
              }
          } elseif (Env::v('suppr')) {
+            S::assert_xsrf_token();
+
              XDB::execute('DELETE FROM  photo
                                  WHERE  uid = {?}',
                           S::v('uid'));
@@ -160,6 +166,8 @@ class ProfileModule extends PLModule
                           S::v('uid'));
              update_NbValid();
          } elseif (Env::v('cancel')) {
+            S::assert_xsrf_token();
+
              $sql = XDB::query('DELETE FROM  requests
                                       WHERE  user_id={?} AND type="photo"',
                                S::v('uid'));
@@ -460,6 +468,8 @@ class ProfileModule extends PLModule
  
          if (!Env::has('promo_sortie')) {
              return;
+        } else {
+            S::assert_xsrf_token();
          }
  
          $promo_sortie = Env::i('promo_sortie');
@@ -663,6 +673,8 @@ class ProfileModule extends PLModule
          $page->assign('usage_req', $nom_usage);
  
          if (Env::has('submit') && ($nom_usage != $usage_old)) {
+            S::assert_xsrf_token();
+
              // on vient de recevoir une requete, differente de l'ancien nom d'usage
              if ($nom_usage == $nom) {
                  $page->assign('same', true);
@@ -723,7 +735,6 @@ class ProfileModule extends PLModule
          list($forlife, $promo) = $q->fetchOneRow();
  
          switch ($action) {
-
              case "original":
                  header("Content-type: image/jpeg");
                 readfile("/home/web/trombino/photos".$promo."/".$forlife.".jpg");
@@ -731,6 +742,8 @@ class ProfileModule extends PLModule
                 break;
  
              case "new":
+                S::assert_xsrf_token();
+
                  $data = file_get_contents($_FILES['userfile']['tmp_name']);
                 list($x, $y) = getimagesize($_FILES['userfile']['tmp_name']);
                 $mimetype = substr($_FILES['userfile']['type'], 6);
@@ -741,6 +754,8 @@ class ProfileModule extends PLModule
                 break;
  
              case "delete":
+                S::assert_xsrf_token();
+
                  XDB::execute('DELETE FROM photo WHERE uid = {?}', $uid);
                  break;
          }
diff --git a/templates/profile/admin_trombino.tpl b/templates/profile/admin_trombino.tpl

index c3c29c8..15180f4 100644 (file)
--- a/templates/profile/admin_trombino.tpl
+++ b/templates/profile/admin_trombino.tpl
@@ -33,7 +33,7 @@ Photo actuelle de {$forlife}
  <br />
  
  <p>
-<a href="admin/trombino/{$uid}/delete">Supprimer cette photo</a>
+<a href="admin/trombino/{$uid}/delete?token={xsrf_token}">Supprimer cette photo</a>
  </p>
  
  <p>
@@ -41,6 +41,7 @@ Photo actuelle de {$forlife}
  </p>
  
  <form action="admin/trombino/{$uid}/new" method="post" enctype="multipart/form-data">
+  {xsrf_token_field}
    <div>
      <input name="userfile" type="file" size="20" maxlength="150" />
      <input type="submit" value="Envoyer" />
diff --git a/templates/profile/base.tpl b/templates/profile/base.tpl

index dba4c05..bfd56f1 100644 (file)
--- a/templates/profile/base.tpl
+++ b/templates/profile/base.tpl
@@ -21,6 +21,7 @@
  {**************************************************************************}
  
  <form action="{$wiz_baseurl}/{$lookup[$current]}" method="post" id="prof_annu">
+  {xsrf_token_field}
    <div>
      {icon name=information title="Voir ma fiche"} Tu peux consulter ta fiche telle que la
      voient <a class="popup2" href="profile/{$smarty.session.forlife}?view=public">n'importe quel internaute</a>,
diff --git a/templates/profile/nomusage.tpl b/templates/profile/nomusage.tpl

index 9b813df..58f4f8f 100644 (file)
--- a/templates/profile/nomusage.tpl
+++ b/templates/profile/nomusage.tpl
@@ -92,6 +92,7 @@ utiliser une adresse personnalisée, il faut se tourner vers
    return false;
  ">
  {/literal}
+    {xsrf_token_field}
      <table class="bicol" cellpadding="4" summary="Nom d'usage">
        <tr>
          <th>Nom d'usage</th>
diff --git a/templates/profile/orange.tpl b/templates/profile/orange.tpl

index fac9b52..b057cc0 100644 (file)
--- a/templates/profile/orange.tpl
+++ b/templates/profile/orange.tpl
@@ -41,6 +41,7 @@
  <br />
  
  <form action="profile/orange" method="post">
+  {xsrf_token_field}
    <table class="bicol" cellpadding="4" summary="Année de sortie">
      <tr>
        <th>Année de sortie</th>
diff --git a/templates/profile/trombino.tpl b/templates/profile/trombino.tpl

index 3b23f6b..877b2fc 100644 (file)
--- a/templates/profile/trombino.tpl
+++ b/templates/profile/trombino.tpl
@@ -24,6 +24,7 @@
  <h1>Trombinoscope</h1>
  
  <form enctype="multipart/form-data" action="photo/change" method="post">
+  {xsrf_token_field}
    {if ($session.promo ge 1995) || ($session.promo le 2002)}
    <p>
    Si tu n'as pas encore fourni de photo, c'est celle du trombinoscope de l'X qui est
author	Vincent Zanotti <vincent.zanotti@polytechnique.org>
	Mon, 30 Jun 2008 00:29:30 +0000 (02:29 +0200)
committer	Vincent Zanotti <vincent.zanotti@polytechnique.org>
	Mon, 30 Jun 2008 00:34:58 +0000 (02:34 +0200)
classes/plwizard.php		patch \| blob \| blame \| history
modules/profile.php		patch \| blob \| blame \| history
templates/profile/admin_trombino.tpl		patch \| blob \| blame \| history
templates/profile/base.tpl		patch \| blob \| blame \| history
templates/profile/nomusage.tpl		patch \| blob \| blame \| history
templates/profile/orange.tpl		patch \| blob \| blame \| history
templates/profile/trombino.tpl		patch \| blob \| blame \| history