Skip to content
Permalink
Browse files

fixes #1058 prevent CSRF on notification by mail, with a pwg_token

also added some checks to NBM parameters to avoid XSS (minor issue)
  • Loading branch information...
plegall committed Aug 12, 2019
1 parent fdcb6f5 commit 776f8fa186ac11f5094b80f8cdada48639c7a059
Showing with 17 additions and 14 deletions.
  1. +15 −14 admin/notification_by_mail.php
  2. +2 −0 admin/themes/default/template/notification_by_mail.tpl
@@ -496,40 +496,40 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l
// +-----------------------------------------------------------------------+
// | Treatment of tab post |
// +-----------------------------------------------------------------------+
if (!empty($_POST))
{
check_pwg_token();
}
switch ($page['mode'])
{
case 'param' :
{
if (isset($_POST['param_submit']))
{
$_POST['nbm_send_mail_as'] = strip_tags($_POST['nbm_send_mail_as']);
check_input_parameter('nbm_send_html_mail', $_POST, false, '/^(true|false)$/');
check_input_parameter('nbm_send_detailed_content', $_POST, false, '/^(true|false)$/');
check_input_parameter('nbm_send_recent_post_dates', $_POST, false, '/^(true|false)$/');
$updated_param_count = 0;
// Update param
$result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\'');
while ($nbm_user = pwg_db_fetch_assoc($result))
{
if (isset($_POST[$nbm_user['param']]))
{
$value = $_POST[$nbm_user['param']];
$query = '
update
'.CONFIG_TABLE.'
set
value = \''. str_replace("\'", "''", $value).'\'
where
param = \''.$nbm_user['param'].'\';';
pwg_query($query);
$updated_param_count += 1;
conf_update_param($nbm_user['param'], $_POST[$nbm_user['param']], true);
$updated_param_count++;
}
}
$page['infos'][] = l10n_dec(
'%d parameter was updated.', '%d parameters were updated.',
$updated_param_count
);
// Reload conf with new values
load_conf_from_db('param like \'nbm\\_%\'');
}
}
case 'subscribe' :
@@ -574,6 +574,7 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l
(
array
(
'PWG_TOKEN' => get_pwg_token(),
'U_HELP' => get_root_url().'admin/popuphelp.php?page=notification_by_mail',
'F_ACTION'=> $base_url.get_query_string_diff(array())
)
@@ -21,6 +21,8 @@ jQuery(document).ready(function(){
</div>

<form method="post" name="notification_by_mail" id="notification_by_mail" action="{$F_ACTION}">
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">

{if isset($REPOST_SUBMIT_NAME)}
<fieldset>
<div class="infos">

0 comments on commit 776f8fa

Please sign in to comment.
You can’t perform that action at this time.