From fde3e90eec52076baad7ee2a202388ff95931c45 Mon Sep 17 00:00:00 2001
From: Vincent Zanotti <vincent.zanotti@polytechnique.org>
Date: Sun, 18 May 2008 16:55:03 +0200
Subject: [PATCH] Adds XSRF protection to the AXLetter module. Fixes several
 bugs in the AXLetter module (admin validation / AX cancellation of letters
 wasn't properly working; it was not possible to add admins with user ids
 above 2^15 - 1).

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
---
 modules/axletter.php           | 26 ++++++++++----------------
 templates/axletter/admin.tpl   |  3 ++-
 templates/axletter/edit.tpl    |  5 +++--
 upgrade/0.9.17/01_axletter.sql |  3 +++
 4 files changed, 18 insertions(+), 19 deletions(-)
 create mode 100644 upgrade/0.9.17/01_axletter.sql
diff --git a/modules/axletter.php b/modules/axletter.php
index 7ea3f06..d093bd3 100644
--- a/modules/axletter.php
+++ b/modules/axletter.php
@@ -109,7 +109,7 @@ class AXLetterModule extends PLModule
                 $saved = false;
                 $new   = true;
             }
-        } elseif (Post::has('valid')) {
+        } elseif (Post::has('valid') && S::has_xsrf_token()) {
             if (!$subject && $title) {
                 $subject = $title;
             }
@@ -190,6 +190,8 @@ class AXLetterModule extends PLModule
                 pl_redirect('ax');
                 break;
             }
+        } elseif (Post::has('valid')) {
+            $page->trig("L'opÃ©ration a Ã©chouÃ©e, merci de rÃ©essayer.");
         }
         $page->assign('id', $id);
         $page->assign('short_name', $short_name);
@@ -224,17 +226,12 @@ class AXLetterModule extends PLModule
     function handler_cancel(&$page, $force = null)
     {
         require_once dirname(__FILE__) . '/axletter/axletter.inc.php';
-        if (!AXLetter::hasPerms()) {
-            return PL_FORBIDDEN;
-        }
-
-        $url = parse_url($_SERVER['HTTP_REFERER']);
-        if ($force != 'force' && trim($url['path'], '/') != 'ax/edit') {
+        if (!AXLetter::hasPerms() || !S::has_xsrf_token()) {
             return PL_FORBIDDEN;
         }
 
         $al = AXLetter::awaiting();
-        if (!$alg) {
+        if (!$al) {
             $page->kill("Aucune lettre en attente");
             return;
         }
@@ -249,12 +246,7 @@ class AXLetterModule extends PLModule
     function handler_valid(&$page, $force = null)
     {
         require_once dirname(__FILE__) . '/axletter/axletter.inc.php';
-        if (!AXLetter::hasPerms()) {
-            return PL_FORBIDDEN;
-        }
-
-        $url = parse_url($_SERVER['HTTP_REFERER']);
-        if ($force != 'force' && trim($url['path'], '/') != 'ax/edit') {
+        if (!AXLetter::hasPerms() || !S::has_xsrf_token()) {
             return PL_FORBIDDEN;
         }
 
@@ -296,7 +288,7 @@ class AXLetterModule extends PLModule
             $action = Post::v('action');
             $uid    = Post::v('uid');
         }
-        if ($uid) {
+        if ($uid && S::has_xsrf_token()) {
             $uids   = preg_split('/ *[,;\: ] */', $uid);
             foreach ($uids as $uid) {
                 switch ($action) {
@@ -308,9 +300,11 @@ class AXLetterModule extends PLModule
                     break;
                 }
                 if (!$res) {
-                    $page->trig("Personne ne oorrespond Ã  l'identifiant '$uid'");
+                    $page->trig("Personne ne correspond Ã  l'identifiant '$uid'");
                 }
             }
+        } elseif ($uid) {
+            $page->trig("L'opÃ©ration sur la liste des administrateurs AX a Ã©chouÃ©e, merci de rÃ©essayer.");
         }
 
         $page->changeTpl('axletter/admin.tpl');
diff --git a/templates/axletter/admin.tpl b/templates/axletter/admin.tpl
index 6632c49..a4ab3e3 100644
--- a/templates/axletter/admin.tpl
+++ b/templates/axletter/admin.tpl
@@ -23,6 +23,7 @@
 <h1>Droits d'administration des lettres de l'AX</h1>
 
 <form action="admin/axletter" method="post">
+  {xsrf_token_field}
   <table class="tinybicol">
     <tr>
       <th>Nom</th>
@@ -37,7 +38,7 @@
     {iterate item=a from=$admins}
     <tr class="{cycle values="impair, pair"}">
       <td><a href="profile/{$a.forlife}" class="popup2">{$a.prenom} {$a.nom} (X{$a.promo}){icon name=user_suit}</a></td>
-      <td class="right"><a href="admin/axletter/del/{$a.forlife}">{icon name=cross title="Retirer"}</a></td>
+      <td class="right"><a href="admin/axletter/del/{$a.forlife}?token={xsrf_token}">{icon name=cross title="Retirer"}</a></td>
     </tr>
     {/iterate}
   </table>
diff --git a/templates/axletter/edit.tpl b/templates/axletter/edit.tpl
index 12a0092..cea59d5 100644
--- a/templates/axletter/edit.tpl
+++ b/templates/axletter/edit.tpl
@@ -23,6 +23,7 @@
 <h1>Edition de message</h1>
 
 <form action="{$platal->pl_self()}" method="post">
+  {xsrf_token_field}
   {if $am}
   {include file="axletter/letter.tpl"}
 
@@ -76,10 +77,10 @@
       <td colspan="2" class="center">
         Envoi au plus tard le {$echeance|date_format:"%x vers %Hh"}<br />
         {if $is_xorg}
-        [<a href="ax/edit/valid" onclick="return confirm('Es-tu sÃ»r de voiloir valider l\'envoi de ce message ?');">{*
+        [<a href="ax/edit/valid?token={xsrf_token}" onclick="return confirm('Es-tu sÃ»r de vouloir valider l\'envoi de ce message ?');">{*
           *}{icon name=thumb_up} Valider l'envoi</a>]
         {else}
-        [<a href="ax/edit/cancel" onclick="return confirm('Es-tu sÃ»r de vouloir annuler l\'envoi de ce message ?');">{*
+        [<a href="ax/edit/cancel?token={xsrf_token}" onclick="return confirm('Es-tu sÃ»r de vouloir annuler l\'envoi de ce message ?');">{*
           *}{icon name=thumb_down} Annuler l'envoi</a>]
         {/if}
       </td>
diff --git a/upgrade/0.9.17/01_axletter.sql b/upgrade/0.9.17/01_axletter.sql
new file mode 100644
index 0000000..17ffb94
--- /dev/null
+++ b/upgrade/0.9.17/01_axletter.sql
@@ -0,0 +1,3 @@
+ALTER TABLE axletter_rights CHANGE COLUMN user_id user_id SMALLINT UNSIGNED NOT NULL DEFAULT 0;
+
+-- vim:set syntax=mysql:
-- 
2.1.4

