Dev: some security ? in template copy

Dev: Use jquery in sendPost (not $.post, because need real submit)
LimeSurvey · Oct 2, 2013 · 7003e2e · 7003e2e
1 parent ad219cc
commit 7003e2e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 27 deletions.
diff --git a/application/controllers/admin/templates.php b/application/controllers/admin/templates.php
@@ -430,14 +430,14 @@ public function templaterename()
     public function templatecopy()
     {
         $clang = $this->getController()->lang;
-
-        if (returnGlobal('action') == "templatecopy" && returnGlobal('newname') && returnGlobal('copydir')) {
+        $newname=sanitize_paranoid_string(Yii::app()->request->getPost("newname"));
+        $copydir=sanitize_paranoid_string(Yii::app()->request->getPost("copydir"));
+        $action=Yii::app()->request->getPost("action");
+        if ($newname && $copydir) {
             // Copies all the files from one template directory to a new one
-            // This is a security issue because it is allowing copying from get variables...
             Yii::app()->loadHelper('admin/template');
-            $newname= sanitize_paranoid_string(returnGlobal('newname'));
             $newdirname = Yii::app()->getConfig('usertemplaterootdir') . "/" . $newname;
-            $copydirname = getTemplatePath(returnGlobal('copydir'));
+            $copydirname = getTemplatePath($copydir);
 
             $oFileHelper=new CFileHelper;
 
@@ -447,13 +447,25 @@ public function templatecopy()
             if ($mkdirresult == 1) {
                 $oFileHelper->copyDirectory($copydirname,$newdirname);
                 $templatename = $newname;
-                $this->index("startpage.pstpl", "welcome", $templatename);
+                $this->getController()->redirect(array(App()->getController()->createUrl("admin/templates/sa/view",array('templatename'=>$newname))));
             }
             elseif ($mkdirresult == 2)
-                $this->getController()->error(sprintf($clang->gT("Directory with the name `%s` already exists - choose another name", "js"), $newname));
+            {
+                Yii::app()->setFlashMessage(sprintf($clang->gT("Directory with the name `%s` already exists - choose another name"), $newname),'error');
+                $this->getController()->redirect(array(App()->getController()->createUrl("admin/templates/sa/view",array('templatename'=>$copydir))));
+                //$this->index("startpage.pstpl", "welcome", $copydirname);
+            }
             else
-                $this->getController()->error(sprintf($clang->gT("Unable to create directory `%s`.", "js"), $newname) . " " . $clang->gT("Please check the directory permissions.", "js"));
-            ;
+            {
+                Yii::app()->setFlashMessage(sprintf($clang->gT("Unable to create directory `%s`."), $newname),'error');
+                Yii::app()->setFlashMessage($clang->gT("Please check the directory permissions."));
+                $this->getController()->redirect(array("admin/templates/sa/view"));
+                //$this->index("startpage.pstpl", "welcome", $copydirname);
+            }
+        }
+        else
+        {
+            $this->getController()->redirect(array("admin/templates/sa/view"));
         }
     }
 
@@ -481,10 +493,10 @@ public function delete($templatename)
                 Template::model()->deleteAllByAttributes(array('folder' => $templatename));
                 Permission::model()->deleteAllByAttributes(array('permission' => $templatename,'entity' => 'template'));
 
-                Yii::app()->session['flashmessage'] = sprintf($clang->gT("Template '%s' was successfully deleted."), $templatename);
+                Yii::app()->setFlashMessage(sprintf($clang->gT("Template '%s' was successfully deleted."), $templatename));
             }
             else
-                Yii::app()->session['flashmessage'] = sprintf($clang->gT("There was a problem deleting the template '%s'. Please check your directory/file permissions."), $templatename);
+                Yii::app()->setFlashMessage(sprintf($clang->gT("There was a problem deleting the template '%s'. Please check your directory/file permissions."), $templatename),'error');
         }
 
         // Redirect with default templatename, editfile and screenname

diff --git a/scripts/admin/admin_core.js b/scripts/admin/admin_core.js
@@ -737,24 +737,16 @@ function tableCellAdapters()
  * @param {array} arrayparam
  * @param {array} arrayval
  *
- * TODO : use $.post 
  */
 function sendPost(myaction,checkcode,arrayparam,arrayval)
 {
-    var myform = document.createElement('form');
-    document.body.appendChild(myform);
-    myform.action =myaction;
-    myform.method = 'POST';
-    for (i=0;i<arrayparam.length;i++)
-    {
-        addHiddenElement(myform,arrayparam[i],arrayval[i])
-    }
+    var $form = $("<form method='POST'>").attr("action", myaction);
+    for (var i = 0; i < arrayparam.length; i++)
+        $("<input type='hidden'>").attr("name", arrayparam[i]).attr("value", arrayval[i]).appendTo($form);
     if(typeof csrfToken =="string")
-    {
-        addHiddenElement(myform,'YII_CSRF_TOKEN',csrfToken);
-    }
-    // Maybe submit only if csrfToken is string
-    myform.submit();
+        $("<input type='hidden'>").attr("name", 'YII_CSRF_TOKEN').attr("value", csrfToken).appendTo($form);
+    $form.appendTo("body");
+    $form.submit();
 }
 function addHiddenElement(theform,thename,thevalue)
 {
@@ -765,5 +757,3 @@ function addHiddenElement(theform,thename,thevalue)
     myel.value = thevalue;
     return myel;
 }
-
-