From 8d73663dcead13504ec2c71ce625adb79b438c6d Mon Sep 17 00:00:00 2001
From: Vincent Zanotti <vincent.zanotti@polytechnique.org>
Date: Thu, 3 Jul 2008 23:08:26 +0200
Subject: [PATCH] Adds XSRF protection to the XnetLists module.

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
---
 modules/xnetlists.php                | 12 ++++++++++++
 templates/xnetlists/alias-admin.tpl  |  3 ++-
 templates/xnetlists/alias-create.tpl |  1 +
 templates/xnetlists/create.tpl       |  1 +
 templates/xnetlists/index.tpl        |  5 +++--
 templates/xnetlists/sync.tpl         |  2 +-
 6 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/modules/xnetlists.php b/modules/xnetlists.php
index f442fea..3c71652 100644
--- a/modules/xnetlists.php
+++ b/modules/xnetlists.php
@@ -79,15 +79,19 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/index.tpl');
 
         if (Get::has('del')) {
+            S::assert_xsrf_token();
             $this->client->unsubscribe(Get::v('del'));
             pl_redirect('lists');
         }
         if (Get::has('add')) {
+            S::assert_xsrf_token();
             $this->client->subscribe(Get::v('add'));
             pl_redirect('lists');
         }
 
         if (Post::has('del_alias') && may_update()) {
+            S::assert_xsrf_token();
+
             $alias = Post::v('del_alias');
             // prevent group admin from erasing aliases from other groups
             $alias = substr($alias, 0, strpos($alias, '@')).'@'.$globals->asso('mail_domain');
@@ -125,6 +129,8 @@ class XnetListsModule extends ListsModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         if (!Post::has('liste')) {
@@ -189,6 +195,7 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/sync.tpl');
 
         if (Env::has('add')) {
+            S::assert_xsrf_token();
             $this->client->mass_subscribe($liste, array_keys(Env::v('add')));
         }
 
@@ -234,6 +241,8 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/alias-admin.tpl');
 
         if (Env::has('add_member')) {
+            S::assert_xsrf_token();
+
             $add = Env::v('add_member');
             if (strstr($add, '@')) {
                 list($mbox,$dom) = explode('@', strtolower($add));
@@ -269,6 +278,7 @@ class XnetListsModule extends ListsModule
         }
 
         if (Env::has('del_member')) {
+            S::assert_xsrf_token();
             XDB::query(
                     "DELETE FROM  x4dat.virtual_redirect
                            USING  x4dat.virtual_redirect
@@ -308,6 +318,8 @@ class XnetListsModule extends ListsModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         if (!Post::has('liste')) {
diff --git a/templates/xnetlists/alias-admin.tpl b/templates/xnetlists/alias-admin.tpl
index 1b25671..91ddf3e 100644
--- a/templates/xnetlists/alias-admin.tpl
+++ b/templates/xnetlists/alias-admin.tpl
@@ -45,7 +45,7 @@
       {if $m.admin}</strong>{/if}
     </td>
     <td class="center">
-      <a href='{$platal->ns}alias/admin/{$platal->argv[1]}?del_member={$m.redirect|urlencode}'>
+      <a href='{$platal->ns}alias/admin/{$platal->argv[1]}?del_member={$m.redirect|urlencode}&amp;token={xsrf_token}'>
       {icon name=delete title='retirer membre'}
       </a>
     </td>
@@ -64,6 +64,7 @@
   <tr>
     <td colspan="3" class="center">
       <form method="post" action="{$platal->ns}alias/admin/{$platal->argv[1]}">
+        {xsrf_token_field}
         <div>
         <input type='text' name='add_member' />
         &nbsp;
diff --git a/templates/xnetlists/alias-create.tpl b/templates/xnetlists/alias-create.tpl
index 243312a..688dd92 100644
--- a/templates/xnetlists/alias-create.tpl
+++ b/templates/xnetlists/alias-create.tpl
@@ -46,6 +46,7 @@ Pour les autres besoins de communications (notament pour un grand nombre de pers
 de modération), il est recommandé de créer <a href="{$platal->ns}lists/create">une liste de diffusion</a>.
 </p>
 <form action='{$platal->ns}alias/create' method='post'>
+  {xsrf_token_field}
   <table class='large'>
     <tr>
       <th colspan='2'>Caractéristiques de l'alias</th>
diff --git a/templates/xnetlists/create.tpl b/templates/xnetlists/create.tpl
index 21baa74..6bcb001 100644
--- a/templates/xnetlists/create.tpl
+++ b/templates/xnetlists/create.tpl
@@ -34,6 +34,7 @@ Si tu as besoin de cette fonctionnalité, il faut alors <strong>impérativement<
 <a href="{$platal->ns}alias/create">un alias</a> qui, lui, est capable de regrouper plusieurs listes.
 </p>
 <form action='{$platal->ns}lists/create' method='post'>
+  {xsrf_token_field}
   <table class="large">
     <tr>
       <th colspan='4'>Caractéristiques de la Liste</th>
diff --git a/templates/xnetlists/index.tpl b/templates/xnetlists/index.tpl
index f2ad857..7af568c 100644
--- a/templates/xnetlists/index.tpl
+++ b/templates/xnetlists/index.tpl
@@ -24,6 +24,7 @@
 
 <p class="error">Es-tu sûr de vouloir supprimer l'alias {$smarty.get.del_alias} ?</p>
 <form action='{$platal->ns}lists' method="post">
+  {xsrf_token_field}
   <div class="center">
     <input type='submit' value="Oui, je suis sûr" />
     <input type='hidden' name='del_alias' value="{$smarty.get.del_alias}" />
@@ -79,11 +80,11 @@ croix verte te permet de t'inscrire, après accord des responsables si l'inscrip
     <td align='right'>{$l.nbsub}</td>
     <td align='center'>
       {if $l.sub eq 2}
-      <a href="{$platal->ns}lists?del={$l.list}">{icon name=cross title="me désinscrire"}</a>
+      <a href="{$platal->ns}lists?del={$l.list}&amp;token={xsrf_token}">{icon name=cross title="me désinscrire"}</a>
       {elseif $l.sub eq 1}
       {icon name=flag_orange title='inscription en attente de modération'}
       {else}
-      <a href="{$platal->ns}lists?add={$l.list}">{icon name=add title="m'inscrire"}</a>
+      <a href="{$platal->ns}lists?add={$l.list}&amp;token={xsrf_token}">{icon name=add title="m'inscrire"}</a>
       {/if}
     </td>
   </tr>
diff --git a/templates/xnetlists/sync.tpl b/templates/xnetlists/sync.tpl
index 8cfad99..b7e979c 100644
--- a/templates/xnetlists/sync.tpl
+++ b/templates/xnetlists/sync.tpl
@@ -24,7 +24,7 @@
 <h1>Non abonnés à la liste {$platal->argv[1]}@{$asso.mail_domain}</h1>
 
 <form action="{$platal->ns}lists/sync/{$platal->argv[1]}" method="post">
-
+  {xsrf_token_field}
   <table cellspacing="2" cellpadding="0" class="tiny">
     <tr>
       <th colspan="2">Membre</th>
-- 
2.1.4