Fixed issue #13559: [security] CSRF -> Stored XSS in template install…

…ation
LimeSurvey · May 17, 2018 · ff0ff76 · ff0ff76
1 parent e8061f5
commit ff0ff76
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/application/controllers/admin/themeoptions.php b/application/controllers/admin/themeoptions.php
@@ -242,9 +242,9 @@ public function loadModel($id)
     }
 
 
-    public function importManifest($templatename)
+    public function importManifest()
     {
-        $templatename = sanitize_paranoid_string($templatename);
+        $templatename = Yii::app()->request->getPost('templatename');
         if (Permission::model()->hasGlobalPermission('templates', 'update')) {
             TemplateManifest::importManifest($templatename);
             $this->getController()->redirect(array("admin/themeoptions"));

diff --git a/application/models/TemplateManifest.php b/application/models/TemplateManifest.php
@@ -259,7 +259,6 @@ public function getTemplateURL()
     public function getButtons()
     {
         $sEditorUrl  = Yii::app()->getController()->createUrl('admin/themes/sa/view', array("templatename"=>$this->sTemplateName));
-        $sLoadUrl    = Yii::app()->getController()->createUrl('admin/themeoptions/sa/importmanifest/', array("templatename"=>$this->sTemplateName));
         $sDeleteUrl  = Yii::app()->getController()->createUrl('admin/themeoptions/sa/deleteTemplate/', array("templatename"=>$this->sTemplateName));
 
         // TODO: load to DB
@@ -275,13 +274,14 @@ class='btn btn-default btn-block'>
 
         $sLoadLink = '';
 
-        $sLoadLink .= "<a
-                id='template_options_link_".$this->sTemplateName."'
-                href='".$sLoadUrl."'
+        $sLoadLink .= CHtml::form( array("/admin/themeoptions/sa/importmanifest/"), 'post',array('id'=>'frmínstalltheme','name'=>'frmínstalltheme')) .
+                "<input type='hidden' name='templatename' value='".$this->sTemplateName."'>
+                <button id='template_options_link_".$this->sTemplateName."'
                 class='btn btn-default btn-block'>
                     <span class='fa fa-download text-warning'></span>
                     ".gT('Install')."
-                </a>";
+                </button>
+                </form>";
 
         $sDeleteLink = "<a
                 id='template_options_link_".$this->sTemplateName."'