From ce8ec5a34aa97250ac9182b0f86f188d79e29a1c Mon Sep 17 00:00:00 2001 From: Vincent Zanotti Date: Fri, 4 Jul 2008 13:54:20 +0200 Subject: [PATCH] Adds XSRF protection to the Marketing module. Signed-off-by: Vincent Zanotti --- modules/marketing.php | 8 ++++++++ templates/marketing/broken.tpl | 1 + templates/marketing/private.tpl | 5 +++-- templates/marketing/public.tpl | 1 + templates/marketing/relance.tpl | 1 + 5 files changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/marketing.php b/modules/marketing.php index 83dcd89..6296a6c 100644 --- a/modules/marketing.php +++ b/modules/marketing.php @@ -105,6 +105,7 @@ class MarketingModule extends PLModule } if ($action == 'del') { + S::assert_xsrf_token(); Marketing::clear($uid, $value); } @@ -128,6 +129,8 @@ class MarketingModule extends PLModule } if ($action == 'relforce') { + S::assert_xsrf_token(); + $market = Marketing::get($uid, Post::v('to')); if (is_null($market)) { $market = new Marketing($uid, Post::v('to'), 'default', null, 'staff'); @@ -137,6 +140,7 @@ class MarketingModule extends PLModule } if ($action == 'insrel') { + S::assert_xsrf_token(); if (Marketing::relance($uid)) { $page->trigSuccess('relance faite'); } @@ -199,6 +203,8 @@ class MarketingModule extends PLModule $email = valide_email(Post::v('mail')); } if (Post::has('valide') && isvalid_email_redirection($email)) { + S::assert_xsrf_token(); + // security stuff check_email($email, "Proposition d'une adresse surveillee pour " . $user['forlife'] . " par " . S::v('forlife')); $res = XDB::query("SELECT e.flags @@ -261,6 +267,8 @@ class MarketingModule extends PLModule $page->assign('promo', $promo); if (Post::has('valide')) { + S::assert_xstf_token(); + require_once('xorg.misc.inc.php'); $email = trim(Post::v('mail')); diff --git a/templates/marketing/broken.tpl b/templates/marketing/broken.tpl index 330e8a4..634dd7b 100644 --- a/templates/marketing/broken.tpl +++ b/templates/marketing/broken.tpl @@ -69,6 +69,7 @@

+ {xsrf_token_field} diff --git a/templates/marketing/private.tpl b/templates/marketing/private.tpl index b09926c..042365c 100644 --- a/templates/marketing/private.tpl +++ b/templates/marketing/private.tpl @@ -45,7 +45,7 @@ sa dernière relance date du {$relance|date_format} {/if}

-

[le relancer]

+

[le relancer]

{/if} @@ -69,7 +69,7 @@ sa dernière relance date du {$relance|date_format} @@ -97,6 +97,7 @@ sa dernière relance date du {$relance|date_format} {if $rel_to} + {xsrf_token_field}
Proposition d'adresse pour
{$user.nom} {$user.prenom} (X{$user.promo})
{$a.last|date_format|default:'-'} {$a.nb|default:"-"} - del
+ del
relance
diff --git a/templates/marketing/public.tpl b/templates/marketing/public.tpl index 34f98f4..a34b929 100644 --- a/templates/marketing/public.tpl +++ b/templates/marketing/public.tpl @@ -74,6 +74,7 @@ peut sans aucun doute l'aider à se décider !

+ {xsrf_token_field}
Edition du mail de relance
diff --git a/templates/marketing/relance.tpl b/templates/marketing/relance.tpl index 2fe9508..46ad33b 100644 --- a/templates/marketing/relance.tpl +++ b/templates/marketing/relance.tpl @@ -28,6 +28,7 @@ {/foreach} + {xsrf_token_field}
Nom :{$nom}
Prénom :{$prenom}
-- 2.1.4
Date