Use $_POST variables instead of $_CSFR in setting dialogs, to prevent…

… CSRF attacks.
Part-DB · Oct 13, 2018 · c32399f · c32399f
1 parent 7c94e23
commit c32399f
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 77 deletions.
diff --git a/login.php b/login.php
@@ -26,8 +26,8 @@
 use PartDB\Log;
 use PartDB\User;
 
-$user_name = isset($_REQUEST['username']) ? $_REQUEST['username'] : "";
-$password = isset($_REQUEST['password']) ? $_REQUEST['password']: "";
+$user_name = isset($_POST['username']) ? $_POST['username'] : "";
+$password = isset($_POST['password']) ? $_POST['password']: "";
 $logout   = isset($_REQUEST['logout']);
 
 $redirect_url = isset($_REQUEST['redirect']) ? $_REQUEST['redirect'] : "";

diff --git a/system_config.php b/system_config.php
@@ -60,87 +60,87 @@ function build_theme_loop()
 
 /********************************************************************************
  *
- *   Evaluate $_REQUEST
+ *   Evaluate $_POST
  *
  *********************************************************************************/
 
 // section "system settings"
-$http_charset               = isset($_REQUEST['http_charset'])      ? (string)$_REQUEST['http_charset']     : 'utf-8';
-$theme                      = isset($_REQUEST['theme'])             ? (string)$_REQUEST['theme']            : $config['html']['theme'];
-$custom_css                 = isset($_REQUEST['custom_css'])        ? (string)$_REQUEST['custom_css']       : $config['html']['custom_css'];
-$timezone                   = isset($_REQUEST['timezone'])          ? (string)$_REQUEST['timezone']         : $config['timezone'];
-$language                   = isset($_REQUEST['language'])          ? (string)$_REQUEST['language']         : $config['language'];
-$disable_updatelist         = isset($_REQUEST['disable_updatelist']);
-$disable_search_warning     = isset($_REQUEST['disable_search_warning']);
-$disable_help               = isset($_REQUEST['disable_help']);
-$disable_config             = isset($_REQUEST['disable_config']);
-$enable_debug_link          = isset($_REQUEST['enable_debug_link']);
-$disable_devices            = isset($_REQUEST['disable_devices']);
-$disable_footprints         = isset($_REQUEST['disable_footprints']);
-$disable_manufacturers      = isset($_REQUEST['disable_manufacturers']);
-$disable_labels             = isset($_REQUEST['disable_labels']);
-$disable_calculator         = isset($_REQUEST['disable_calculator']);
-$disable_iclogos            = isset($_REQUEST['disable_iclogos']);
-$disable_auto_datasheets    = isset($_REQUEST['disable_auto_datasheets']);
-$disable_tools_footprints   = isset($_REQUEST['disable_tools_footprints']);
-$disable_suppliers          = isset($_REQUEST['disable_suppliers']);
-$tools_footprints_autoload  = isset($_REQUEST['tools_footprints_autoload']);
-$enable_developer_mode      = isset($_REQUEST['enable_developer_mode']);
-$use_modal_popup            = isset($_REQUEST['use_modal_popup']);
-$popup_width                = isset($_REQUEST['popup_width'])       ? (integer)$_REQUEST['popup_width']     : $config['popup']['width'];
-$popup_height               = isset($_REQUEST['popup_height'])      ? (integer)$_REQUEST['popup_height']    : $config['popup']['height'];
-$page_title                 = isset($_REQUEST['page_title'])        ? (string)$_REQUEST['page_title']       : $config['page_title'];
-$startup_banner             = isset($_REQUEST['startup_banner'])    ? (string)$_REQUEST['startup_banner']   : $config['startup']['custom_banner'];
-$downloads_enable           = isset($_REQUEST['downloads_enable']);
+$http_charset               = isset($_POST['http_charset'])      ? (string)$_POST['http_charset']     : 'utf-8';
+$theme                      = isset($_POST['theme'])             ? (string)$_POST['theme']            : $config['html']['theme'];
+$custom_css                 = isset($_POST['custom_css'])        ? (string)$_POST['custom_css']       : $config['html']['custom_css'];
+$timezone                   = isset($_POST['timezone'])          ? (string)$_POST['timezone']         : $config['timezone'];
+$language                   = isset($_POST['language'])          ? (string)$_POST['language']         : $config['language'];
+$disable_updatelist         = isset($_POST['disable_updatelist']);
+$disable_search_warning     = isset($_POST['disable_search_warning']);
+$disable_help               = isset($_POST['disable_help']);
+$disable_config             = isset($_POST['disable_config']);
+$enable_debug_link          = isset($_POST['enable_debug_link']);
+$disable_devices            = isset($_POST['disable_devices']);
+$disable_footprints         = isset($_POST['disable_footprints']);
+$disable_manufacturers      = isset($_POST['disable_manufacturers']);
+$disable_labels             = isset($_POST['disable_labels']);
+$disable_calculator         = isset($_POST['disable_calculator']);
+$disable_iclogos            = isset($_POST['disable_iclogos']);
+$disable_auto_datasheets    = isset($_POST['disable_auto_datasheets']);
+$disable_tools_footprints   = isset($_POST['disable_tools_footprints']);
+$disable_suppliers          = isset($_POST['disable_suppliers']);
+$tools_footprints_autoload  = isset($_POST['tools_footprints_autoload']);
+$enable_developer_mode      = isset($_POST['enable_developer_mode']);
+$use_modal_popup            = isset($_POST['use_modal_popup']);
+$popup_width                = isset($_POST['popup_width'])       ? (integer)$_POST['popup_width']     : $config['popup']['width'];
+$popup_height               = isset($_POST['popup_height'])      ? (integer)$_POST['popup_height']    : $config['popup']['height'];
+$page_title                 = isset($_POST['page_title'])        ? (string)$_POST['page_title']       : $config['page_title'];
+$startup_banner             = isset($_POST['startup_banner'])    ? (string)$_POST['startup_banner']   : $config['startup']['custom_banner'];
+$downloads_enable           = isset($_POST['downloads_enable']);
 
 // section "appearance"
-$use_old_datasheet_icons    = isset($_REQUEST['use_old_datasheet_icons']);
-$short_description          = isset($_REQUEST['short_description']);
-$others_panel_collapse      = isset($_REQUEST['others_panel_collapse']);
-$others_panel_postion       = isset($_REQUEST['others_panel_position']) ? (string)$_REQUEST['others_panel_position'] : "top";
+$use_old_datasheet_icons    = isset($_POST['use_old_datasheet_icons']);
+$short_description          = isset($_POST['short_description']);
+$others_panel_collapse      = isset($_POST['others_panel_collapse']);
+$others_panel_postion       = isset($_POST['others_panel_position']) ? (string)$_POST['others_panel_position'] : "top";
 
 // section "3d footprints"
-$foot3d_active              = isset($_REQUEST['foot3d_active']);
-$foot3d_show_info           = isset($_REQUEST['foot3d_show_info']);
+$foot3d_active              = isset($_POST['foot3d_active']);
+$foot3d_show_info           = isset($_POST['foot3d_show_info']);
 
 //section "part properites"
-$properties_active          = isset($_REQUEST['properties_active']);
+$properties_active          = isset($_POST['properties_active']);
 
 //Edit parts
-$created_redirect           = isset($_REQUEST['created_redirect']);
-$saved_redirect             = isset($_REQUEST['saved_redirect']);
+$created_redirect           = isset($_POST['created_redirect']);
+$saved_redirect             = isset($_POST['saved_redirect']);
 
 //Table settings
-$table_autosort             = isset($_REQUEST['table_autosort']);
-$default_subcat             = isset($_REQUEST['default_subcat']);
-$default_limit              = isset($_REQUEST['default_limit']) ? (int) $_REQUEST['default_limit']  : 50;
-$show_full_paths            = isset($_REQUEST['show_full_paths']);
-$instock_warning_full_row   = isset($_REQUEST['instock_warning_full_row']);
+$table_autosort             = isset($_POST['table_autosort']);
+$default_subcat             = isset($_POST['default_subcat']);
+$default_limit              = isset($_POST['default_limit']) ? (int) $_POST['default_limit']  : 50;
+$show_full_paths            = isset($_POST['show_full_paths']);
+$instock_warning_full_row   = isset($_POST['instock_warning_full_row']);
 
 //Search settings
-$livesearch_active          = isset($_REQUEST['livesearch_active']);
-$search_highlighting        = isset($_REQUEST['search_highlighting']);
+$livesearch_active          = isset($_POST['livesearch_active']);
+$search_highlighting        = isset($_POST['search_highlighting']);
 
 //Attachement settings
-$attachements_structure     = isset($_REQUEST['attachements_structure']);
-$attachements_download      = isset($_REQUEST['attachements_download']);
-$attachements_show_name     = isset($_REQUEST['attachements_show_name']);
+$attachements_structure     = isset($_POST['attachements_structure']);
+$attachements_download      = isset($_POST['attachements_download']);
+$attachements_show_name     = isset($_POST['attachements_show_name']);
 
 //Detailinfo settings
-$info_hide_actions              = isset($_REQUEST['info_hide_actions']);
-$info_hide_empty_orderdetails   = isset($_REQUEST['info_hide_empty_orderdetails']);
-$info_hide_empty_attachements   = isset($_REQUEST['info_hide_empty_attachements']);
+$info_hide_actions              = isset($_POST['info_hide_actions']);
+$info_hide_empty_orderdetails   = isset($_POST['info_hide_empty_orderdetails']);
+$info_hide_empty_attachements   = isset($_POST['info_hide_empty_attachements']);
 
 //User settings
-$use_gravatar                   = isset($_REQUEST['gravatar_enable']);
-$login_redirect                 = isset($_REQUEST['login_redirect']);
-$max_sessiontime                = isset($_REQUEST['max_sessiontime']) ? $_REQUEST['max_sessiontime'] : -1;
+$use_gravatar                   = isset($_POST['gravatar_enable']);
+$login_redirect                 = isset($_POST['login_redirect']);
+$max_sessiontime                = isset($_POST['max_sessiontime']) ? $_POST['max_sessiontime'] : -1;
 
 //Logging system settings
-$min_log_level                  = isset($_REQUEST['min_log_level']) ? (int)$_REQUEST['min_log_level'] : 7;
+$min_log_level                  = isset($_POST['min_log_level']) ? (int)$_POST['min_log_level'] : 7;
 
 $action = 'default';
-if (isset($_REQUEST["apply"])) {
+if (isset($_POST["apply"])) {
     $action = 'apply';
 }
 

diff --git a/system_database.php b/system_database.php
@@ -40,25 +40,25 @@
  *
  *********************************************************************************/
 
-$db_type                    = isset($_REQUEST['db_type'])        ? (string)$_REQUEST['db_type']              : 'mysql';
-$db_charset                 = isset($_REQUEST['db_charset'])     ? (string)$_REQUEST['db_charset']           : 'utf8';
-$db_host                    = isset($_REQUEST['db_host'])        ? (string)$_REQUEST['db_host']              : 'localhost';
-$db_name                    = isset($_REQUEST['db_name'])        ? (string)$_REQUEST['db_name']              : '';
-$db_user                    = isset($_REQUEST['db_user'])        ? (string)$_REQUEST['db_user']              : '';
-$db_password                = isset($_REQUEST['db_password'])    ? trim((string)$_REQUEST['db_password'])    : '';
-$automatic_updates_enabled  = isset($_REQUEST['automatic_updates_enabled']);
+$db_type                    = isset($_POST['db_type'])        ? (string)$_POST['db_type']              : 'mysql';
+$db_charset                 = isset($_POST['db_charset'])     ? (string)$_POST['db_charset']           : 'utf8';
+$db_host                    = isset($_POST['db_host'])        ? (string)$_POST['db_host']              : 'localhost';
+$db_name                    = isset($_POST['db_name'])        ? (string)$_POST['db_name']              : '';
+$db_user                    = isset($_POST['db_user'])        ? (string)$_POST['db_user']              : '';
+$db_password                = isset($_POST['db_password'])    ? trim((string)$_POST['db_password'])    : '';
+$automatic_updates_enabled  = isset($_POST['automatic_updates_enabled']);
 
 $action = 'default';
-if (isset($_REQUEST["apply_connection_settings"])) {
+if (isset($_POST["apply_connection_settings"])) {
     $action = 'apply_connection_settings';
 }
-if (isset($_REQUEST["apply_auto_updates"])) {
+if (isset($_POST["apply_auto_updates"])) {
     $action = 'apply_auto_updates';
 }
-if (isset($_REQUEST["make_update"])) {
+if (isset($_POST["make_update"])) {
     $action = 'make_update';
 }
-if (isset($_REQUEST["make_new_update"])) {
+if (isset($_POST["make_new_update"])) {
     $action = 'make_new_update';
 }
 

diff --git a/user_settings.php b/user_settings.php
@@ -42,24 +42,24 @@
 $pw_2               = isset($_POST['pw_2'])              ? $_POST['pw_2']                   : "";
 
 $new_username       = isset($_POST['username'])          ? $_POST['username']                 : "";
-$new_firstname      = isset($_REQUEST['firstname'])         ? $_REQUEST['firstname']                : "";
-$new_lastname       = isset($_REQUEST['lastname'])          ? $_REQUEST['lastname']                 : "";
-$new_email          = isset($_REQUEST['email'])             ? $_REQUEST['email']                    : "";
-$new_department     = isset($_REQUEST['department'])        ? $_REQUEST['department']               : "";
+$new_firstname      = isset($_POST['firstname'])         ? $_POST['firstname']                : "";
+$new_lastname       = isset($_POST['lastname'])          ? $_POST['lastname']                 : "";
+$new_email          = isset($_POST['email'])             ? $_POST['email']                    : "";
+$new_department     = isset($_POST['department'])        ? $_POST['department']               : "";
 
-$new_theme          = isset($_REQUEST['custom_css'])        ? $_REQUEST['custom_css']               : "";
-$new_timezone       = isset($_REQUEST['timezone'])          ? $_REQUEST['timezone']                 : "";
-$new_language       = isset($_REQUEST['language'])          ? $_REQUEST['language']                 : "";
+$new_theme          = isset($_POST['custom_css'])        ? $_POST['custom_css']               : "";
+$new_timezone       = isset($_POST['timezone'])          ? $_POST['timezone']                 : "";
+$new_language       = isset($_POST['language'])          ? $_POST['language']                 : "";
 
 $new_comment_withdrawal = isset($_POST['default_comment_withdrawal']) ? $_POST['default_comment_withdrawal'] : null;
 $new_comment_addition = isset($_POST['default_comment_addition']) ? $_POST['default_comment_addition'] : null;
 
 $action = 'default';
-if (isset($_REQUEST["change_pw"])) {
+if (isset($_POST["change_pw"])) {
     $action = 'change_pw';
 }
 
-if (isset($_REQUEST['apply_settings'])) {
+if (isset($_POST['apply_settings'])) {
     $action = 'apply';
 }