Permalink
Browse files

MDL-20916 protect the whole xmldb editor with sesskey.

  • Loading branch information...
1 parent bddfa51 commit e22827061141af149885aea04c9e61879501e142 @stronk7 stronk7 committed Nov 20, 2009
Showing with 97 additions and 43 deletions.
  1. +10 −2 admin/xmldb/actions/XMLDBAction.class.php
  2. +1 −1 admin/xmldb/actions/check_bigints/check_bigints.class.php
  3. +1 −1 admin/xmldb/actions/check_indexes/check_indexes.class.php
  4. +1 −1 admin/xmldb/actions/delete_field/delete_field.class.php
  5. +1 −1 admin/xmldb/actions/delete_index/delete_index.class.php
  6. +1 −1 admin/xmldb/actions/delete_key/delete_key.class.php
  7. +1 −1 admin/xmldb/actions/delete_sentence/delete_sentence.class.php
  8. +1 −1 admin/xmldb/actions/delete_statement/delete_statement.class.php
  9. +1 −1 admin/xmldb/actions/delete_table/delete_table.class.php
  10. +1 −1 admin/xmldb/actions/delete_xml_file/delete_xml_file.class.php
  11. +2 −0 admin/xmldb/actions/edit_field/edit_field.class.php
  12. +2 −0 admin/xmldb/actions/edit_index/edit_index.class.php
  13. +2 −0 admin/xmldb/actions/edit_key/edit_key.class.php
  14. +2 −0 admin/xmldb/actions/edit_sentence/edit_sentence.class.php
  15. +5 −3 admin/xmldb/actions/edit_statement/edit_statement.class.php
  16. +14 −12 admin/xmldb/actions/edit_table/edit_table.class.php
  17. +11 −9 admin/xmldb/actions/edit_xml_file/edit_xml_file.class.php
  18. +1 −0 admin/xmldb/actions/get_db_directories/get_db_directories.class.php
  19. +1 −0 admin/xmldb/actions/load_xml_file/load_xml_file.class.php
  20. +8 −7 admin/xmldb/actions/main_view/main_view.class.php
  21. +1 −0 admin/xmldb/actions/new_statement/new_statement.class.php
  22. +1 −0 admin/xmldb/actions/new_table_from_mysql/new_table_from_mysql.class.php
  23. +1 −1 admin/xmldb/actions/revert_changes/revert_changes.class.php
  24. +14 −0 admin/xmldb/actions/test/test.class.php
  25. +1 −0 admin/xmldb/actions/unload_xml_file/unload_xml_file.class.php
  26. +1 −0 admin/xmldb/actions/view_field_xml/view_field_xml.class.php
  27. +1 −0 admin/xmldb/actions/view_index_xml/view_index_xml.class.php
  28. +1 −0 admin/xmldb/actions/view_key_xml/view_key_xml.class.php
  29. +1 −0 admin/xmldb/actions/view_reserved_words/view_reserved_words.class.php
  30. +1 −0 admin/xmldb/actions/view_statement_xml/view_statement_xml.class.php
  31. +1 −0 admin/xmldb/actions/view_structure_php/view_structure_php.class.php
  32. +1 −0 admin/xmldb/actions/view_structure_sql/view_structure_sql.class.php
  33. +1 −0 admin/xmldb/actions/view_structure_xml/view_structure_xml.class.php
  34. +1 −0 admin/xmldb/actions/view_table_php/view_table_php.class.php
  35. +1 −0 admin/xmldb/actions/view_table_sql/view_table_sql.class.php
  36. +1 −0 admin/xmldb/actions/view_table_xml/view_table_xml.class.php
  37. +1 −0 admin/xmldb/actions/view_xml/view_xml.class.php
@@ -47,6 +47,8 @@ class XMLDBAction {
var $postaction; //Action to execute at the end of the invoke script
+ var $sesskey_protected; // Actions must be protected by sesskey mechanishm
+
/**
* Constructor
*/
@@ -72,6 +74,7 @@ function init() {
$this->output = NULL;
$this->errormsg = NULL;
$this->subaction = NULL;
+ $this->sesskey_protected = true;
}
/**
@@ -130,13 +133,18 @@ function loadStrings($strings) {
}
/**
- * main invoke method, it simply sets the postaction attribute
- * if possible
+ * main invoke method, it sets the postaction attribute
+ * if possible and checks sesskey_protected if needed
*/
function invoke() {
global $SESSION;
+ /// Sesskey protection
+ if ($this->sesskey_protected) {
+ require_sesskey();
+ }
+
/// If we are used any dir, save it in the lastused session object
/// Some actions can use it to perform positioning
if ($lastused = optional_param ('dir', NULL, PARAM_PATH)) {
@@ -111,7 +111,7 @@ function invoke() {
}
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=check_bigints&amp;confirmed=yes" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=check_bigints&amp;sesskey=' . sesskey() . '&amp;confirmed=yes" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -94,7 +94,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmcheckindexes'] . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=check_indexes&amp;confirmed=yes" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=check_indexes&amp;sesskey=' . sesskey() . '&amp;confirmed=yes" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -77,7 +77,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeletefield'] . '<br /><br />' . $fieldparam . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_field&amp;confirmed=yes&amp;postaction=edit_table&amp;field=' . $fieldparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_field&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;postaction=edit_table&amp;field=' . $fieldparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -77,7 +77,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeleteindex'] . '<br /><br />' . $indexparam . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_index&amp;confirmed=yes&amp;postaction=edit_table&amp;index=' . $indexparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_index&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;postaction=edit_table&amp;index=' . $indexparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -77,7 +77,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeletekey'] . '<br /><br />' . $keyparam . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_key&amp;confirmed=yes&amp;postaction=edit_table&amp;key=' . $keyparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_key&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;postaction=edit_table&amp;key=' . $keyparam . '&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -77,7 +77,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeletesentence'] . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_sentence&amp;confirmed=yes&amp;postaction=edit_statement&amp;sentence=' . $sentenceparam . '&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_sentence&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;postaction=edit_statement&amp;sentence=' . $sentenceparam . '&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -76,7 +76,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeletestatement'] . '<br /><br />' . $statementparam . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_statement&amp;confirmed=yes&amp;postaction=edit_xml_file&amp;statement=' . $statementparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_statement&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;postaction=edit_xml_file&amp;statement=' . $statementparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -76,7 +76,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeletetable'] . '<br /><br />' . $tableparam . '</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_table&amp;confirmed=yes&amp;postaction=edit_xml_file&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_table&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;postaction=edit_xml_file&amp;table=' . $tableparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -75,7 +75,7 @@ function invoke() {
$o.= ' <p class="centerpara">' . $this->str['confirmdeletexmlfile'] . '<br /><br />' . $dirpath . '/install.php</p>';
$o.= ' <table class="boxaligncenter" cellpadding="20"><tr><td>';
$o.= ' <div class="singlebutton">';
- $o.= ' <form action="index.php?action=delete_xml_file&amp;confirmed=yes&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '&amp;postaction=main_view#lastused" method="post"><fieldset class="invisiblefieldset">';
+ $o.= ' <form action="index.php?action=delete_xml_file&amp;sesskey=' . sesskey() . '&amp;confirmed=yes&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '&amp;postaction=main_view#lastused" method="post"><fieldset class="invisiblefieldset">';
$o.= ' <input type="submit" value="'. $this->str['yes'] .'" /></fieldset></form></div>';
$o.= ' </td><td>';
$o.= ' <div class="singlebutton">';
@@ -35,6 +35,7 @@ function init() {
parent::init();
/// Set own custom attributes
+ $this->sesskey_protected = false; // This action doesn't need sesskey protection
/// Get needed strings
$this->loadStrings(array(
@@ -103,6 +104,7 @@ function invoke() {
$o.= ' <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
$o.= ' <input type="hidden" name ="table" value="' . $tableparam .'" />';
$o.= ' <input type="hidden" name ="field" value="' . $fieldparam .'" />';
+ $o.= ' <input type="hidden" name ="sesskey" value="' . sesskey() .'" />';
$o.= ' <input type="hidden" name ="action" value="edit_field_save" />';
$o.= ' <input type="hidden" name ="postaction" value="edit_table" />';
$o.= ' <table id="formelements" class="boxaligncenter">';
@@ -35,6 +35,7 @@ function init() {
parent::init();
/// Set own custom attributes
+ $this->sesskey_protected = false; // This action doesn't need sesskey protection
/// Get needed strings
$this->loadStrings(array(
@@ -103,6 +104,7 @@ function invoke() {
$o.= ' <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
$o.= ' <input type="hidden" name ="table" value="' . $tableparam .'" />';
$o.= ' <input type="hidden" name ="index" value="' . $indexparam .'" />';
+ $o.= ' <input type="hidden" name ="sesskey" value="' . sesskey() .'" />';
$o.= ' <input type="hidden" name ="action" value="edit_index_save" />';
$o.= ' <input type="hidden" name ="postaction" value="edit_table" />';
$o.= ' <table id="formelements" class="boxaligncenter">';
@@ -35,6 +35,7 @@ function init() {
parent::init();
/// Set own custom attributes
+ $this->sesskey_protected = false; // This action doesn't need sesskey protection
/// Get needed strings
$this->loadStrings(array(
@@ -103,6 +104,7 @@ function invoke() {
$o.= ' <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
$o.= ' <input type="hidden" name ="table" value="' . $tableparam .'" />';
$o.= ' <input type="hidden" name ="key" value="' . $keyparam .'" />';
+ $o.= ' <input type="hidden" name ="sesskey" value="' . sesskey() .'" />';
$o.= ' <input type="hidden" name ="action" value="edit_key_save" />';
$o.= ' <input type="hidden" name ="postaction" value="edit_table" />';
$o.= ' <table id="formelements" class="boxaligncenter">';
@@ -35,6 +35,7 @@ function init() {
parent::init();
/// Set own custom attributes
+ $this->sesskey_protected = false; // This action doesn't need sesskey protection
/// Get needed strings
$this->loadStrings(array(
@@ -119,6 +120,7 @@ function invoke() {
$o.= ' <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
$o.= ' <input type="hidden" name ="statement" value="' . $statementparam .'" />';
$o.= ' <input type="hidden" name ="sentence" value="' . $sentenceparam .'" />';
+ $o.= ' <input type="hidden" name ="sesskey" value="' . sesskey() .'" />';
$o.= ' <input type="hidden" name ="action" value="edit_sentence_save" />';
$o.= ' <input type="hidden" name ="postaction" value="edit_statement" />';
$o.= ' <table id="formelements" class="boxaligncenter">';
@@ -35,6 +35,7 @@ function init() {
parent::init();
/// Set own custom attributes
+ $this->sesskey_protected = false; // This action doesn't need sesskey protection
/// Get needed strings
$this->loadStrings(array(
@@ -106,6 +107,7 @@ function invoke() {
$o.= '<div>';
$o.= ' <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
$o.= ' <input type="hidden" name ="statement" value="' . $statementparam .'" />';
+ $o.= ' <input type="hidden" name ="sesskey" value="' . sesskey() .'" />';
$o.= ' <input type="hidden" name ="action" value="edit_statement_save" />';
$o.= ' <input type="hidden" name ="postaction" value="edit_statement" />';
$o.= ' <table id="formelements" class="boxaligncenter">';
@@ -129,7 +131,7 @@ function invoke() {
$b .= '&nbsp;[' . $this->str['viewedited'] . ']';
}
/// The new sentence button
- $b .= '&nbsp;<a href="index.php?action=new_sentence&amp;postaction=edit_sentence&amp;statement=' . $statementparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['newsentence'] . ']</a>';
+ $b .= '&nbsp;<a href="index.php?action=new_sentence&amp;postaction=edit_sentence&amp;sesskey=' . sesskey() . '&amp;statement=' . $statementparam . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['newsentence'] . ']</a>';
/// The back to edit xml file button
$b .= '&nbsp;<a href="index.php?action=edit_xml_file&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['back'] . ']</a>';
$b .= '</p>';
@@ -157,10 +159,10 @@ function invoke() {
$b .= '<a href="index.php?action=edit_sentence&amp;sentence=' .$key . '&amp;statement=' . urlencode($statement->getName()) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['edit'] . ']</a>';
$b .= '</td><td class="button cell">';
/// The duplicate button
- $b .= '<a href="index.php?action=new_sentence&amp;postaction=edit_sentence&amp;basesentence=' . $key . '&amp;statement=' . urlencode($statement->getName()) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['duplicate'] . ']</a>';
+ $b .= '<a href="index.php?action=new_sentence&amp;postaction=edit_sentence&amp;sesskey=' . sesskey() . '&amp;basesentence=' . $key . '&amp;statement=' . urlencode($statement->getName()) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['duplicate'] . ']</a>';
$b .= '</td><td class="button cell">';
/// The delete button
- $b .= '<a href="index.php?action=delete_sentence&amp;sentence=' . $key . '&amp;statement=' . urlencode($statement->getName()) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['delete'] . ']</a>';
+ $b .= '<a href="index.php?action=delete_sentence&amp;sesskey=' . sesskey() . '&amp;sentence=' . $key . '&amp;statement=' . urlencode($statement->getName()) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['delete'] . ']</a>';
$b .= '</td>';
/// Print table row
$o .= '<tr class="r' . $row . '"><td class="table cell">' . $p . $sentence . $b . '</tr>';
Oops, something went wrong.

0 comments on commit e228270

Please sign in to comment.