Various CSRF fixes (#4176)

* Fix CSRF in mobile theme * Fix CSRF in attribute types * Add CSRF protection to conversation points page * Add CSRF to legacy permission file tool * Add CSRF token to job uninstall * Add CSRF tokens to jobs scheduling * Add CSRF to system seo bulk page * Add CSRF tokens to accessibility page * Add CSRF to job reset Former-commit-id: 8a9e493 Former-commit-id: 117da7fba1d47d1463aba2978427371ee192b543
concretecms · Aug 12, 2016 · 8dc5354 · 8dc5354
1 parent 80a8ea5
commit 8dc5354
Show file tree

Hide file tree

Showing 13 changed files with 269 additions and 193 deletions.
diff --git a/web/concrete/controllers/single_page/dashboard/pages/themes.php b/web/concrete/controllers/single_page/dashboard/pages/themes.php
@@ -33,13 +33,18 @@ public function view() {
 	}
 
 	public function save_mobile_theme() {
-		$pt = PageTheme::getByID($this->post('MOBILE_THEME_ID'));
-		if (is_object($pt)) {
-			Config::save('concrete.misc.mobile_theme_id', $pt->getThemeID());
+		if ($this->token->validate('save_mobile_theme')) {
+			$pt = PageTheme::getByID($this->post('MOBILE_THEME_ID'));
+			if (is_object($pt)) {
+				Config::save('concrete.misc.mobile_theme_id', $pt->getThemeID());
+			} else {
+				Config::save('concrete.misc.mobile_theme_id', 0);
+			}
+			$this->redirect('/dashboard/pages/themes', 'mobile_theme_saved');
 		} else {
-			Config::save('concrete.misc.mobile_theme_id', 0);
+			$this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+			$this->view();
 		}
-		$this->redirect('/dashboard/pages/themes', 'mobile_theme_saved');
 	}
 
 	public function mobile_theme_saved() {

diff --git a/web/concrete/controllers/single_page/dashboard/system/attributes/types.php b/web/concrete/controllers/single_page/dashboard/system/attributes/types.php
@@ -9,7 +9,7 @@
 use Loader;
 
 class Types extends DashboardPageController {
-	
+
 	public function add_attribute_type() {
 		$pat = PendingType::getByHandle($this->post('atHandle'));
 		if (is_object($pat)) {
@@ -19,18 +19,22 @@ public function add_attribute_type() {
 	}
 
 	public function save_attribute_type_associations() {
-		$list = Category::getList();
-		foreach($list as $cat) {
-			$cat->clearAttributeKeyCategoryTypes();
-			if (is_array($this->post($cat->getAttributeKeyCategoryHandle()))) {
-				foreach($this->post($cat->getAttributeKeyCategoryHandle()) as $id) {
-					$type = Type::getByID($id);
-					$cat->associateAttributeKeyType($type);
-				}
-			}
-		}
+        if ($this->token->validate('save_attribute_type_associations')) {
+            $list = Category::getList();
+            foreach ($list as $cat) {
+                $cat->clearAttributeKeyCategoryTypes();
+                if (is_array($this->post($cat->getAttributeKeyCategoryHandle()))) {
+                    foreach ($this->post($cat->getAttributeKeyCategoryHandle()) as $id) {
+                        $type = Type::getByID($id);
+                        $cat->associateAttributeKeyType($type);
+                    }
+                }
+            }
 
-		$this->redirect('dashboard/system/attributes/types', 'saved', 'associations_updated');
+            $this->redirect('dashboard/system/attributes/types', 'saved', 'associations_updated');
+        } else {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+        }
 	}
 
 	public function saved($mode = false) {
@@ -46,5 +50,5 @@ public function saved($mode = false) {
 			}
 		}
 	}
-	
-}
+
+}
diff --git a/web/concrete/controllers/single_page/dashboard/system/basics/accessibility.php b/web/concrete/controllers/single_page/dashboard/system/basics/accessibility.php
@@ -23,6 +23,10 @@ public function saved()
 
     public function save()
     {
+        if (!$this->token->validate('accessibility')) {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+            return $this->view();
+        }
         Config::save('concrete.accessibility.toolbar_titles', !!Request::post('show_titles', false));
         Config::save('concrete.accessibility.toolbar_large_font', !!Request::post('increase_font_size', false));
         Config::save('concrete.accessibility.display_help_system', !!Request::post('display_help', false));

diff --git a/web/concrete/controllers/single_page/dashboard/system/conversations/points.php b/web/concrete/controllers/single_page/dashboard/system/conversations/points.php
@@ -16,14 +16,22 @@ public function success() {
         $this->set('message', t('Rating types updated.'));
     }
     public function save() {
-        $db = Loader::db();
-        foreach (ConversationRatingType::getList() as $crt) {
-            $rtID = $crt->getConversationRatingTypeID();
-            $rtPoints = $this->post('rtPoints_' . $rtID);
-            if (is_string($rtPoints) && is_numeric($rtPoints)) {
-                $db->Execute('UPDATE ConversationRatingTypes SET cnvRatingTypeCommunityPoints = ? WHERE cnvRatingTypeID = ? LIMIT 1', array($rtPoints, $rtID));
+
+        if ($this->token->validate('conversation_points')) {
+
+            $db = Loader::db();
+            foreach (ConversationRatingType::getList() as $crt) {
+                $rtID = $crt->getConversationRatingTypeID();
+                $rtPoints = $this->post('rtPoints_' . $rtID);
+                if (is_string($rtPoints) && is_numeric($rtPoints)) {
+                    $db->Execute('UPDATE ConversationRatingTypes SET cnvRatingTypeCommunityPoints = ? WHERE cnvRatingTypeID = ? LIMIT 1',
+                        array($rtPoints, $rtID));
+                }
             }
+            $this->redirect('/dashboard/system/conversations/points', 'success');
+        } else {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+            $this->view();
         }
-        $this->redirect('/dashboard/system/conversations/points', 'success');
     }
 }