UI update

outroll · Jun 2, 2015 · 527e4a9 · 527e4a9
1 parent 0f7110b
commit 527e4a9
Show file tree

Hide file tree

Showing 139 changed files with 2,046 additions and 124 deletions.
diff --git a/web/add/cron/index.php b/web/add/cron/index.php
@@ -10,6 +10,12 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if ((!isset($_POST['v_min'])) || ($_POST['v_min'] == '')) $errors[] = __('minute');
     if ((!isset($_POST['v_hour'])) || ($_POST['v_hour'] == '')) $errors[] = __('hour');

diff --git a/web/add/db/index.php b/web/add/db/index.php
@@ -9,6 +9,12 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_database'])) $errors[] = __('database');
     if (empty($_POST['v_dbuser'])) $errors[] = __('username');
@@ -91,7 +97,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK',$user."_".$_POST['v_database'],$user."_".$_POST['v_database']);
+        $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK',htmlentities($user)."_".htmlentities($_POST['v_database']),htmlentities($user)."_".htmlentities($_POST['v_database']));
         $_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . __('open %s',$db_admin) . "</a>";
         unset($v_database);
         unset($v_dbuser);

diff --git a/web/add/dns/index.php b/web/add/dns/index.php
@@ -10,6 +10,12 @@
 // Check POST request for dns domain
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_domain'])) $errors[] = __('domain');
     if (empty($_POST['v_ip'])) $errors[] = __('ip');
@@ -70,7 +76,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',$_POST[v_domain],$_POST[v_domain]);
+        $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
         unset($v_domain);
     }
 }
@@ -79,6 +85,12 @@
 // Check POST request for dns record
 if (!empty($_POST['ok_rec'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_domain'])) $errors[] = 'domain';
     if (empty($_POST['v_rec'])) $errors[] = 'record';
@@ -112,7 +124,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DNS_RECORD_CREATED_OK',$_POST[v_rec],$_POST[v_domain]);
+        $_SESSION['ok_msg'] = __('DNS_RECORD_CREATED_OK',htmlentities($_POST[v_rec]),htmlentities($_POST[v_domain]));
         unset($v_domain);
         unset($v_rec);
         unset($v_val);

diff --git a/web/add/firewall/index.php b/web/add/firewall/index.php
@@ -17,6 +17,12 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_action'])) $errors[] = __('action');
     if (empty($_POST['v_protocol'])) $errors[] = __('protocol');

diff --git a/web/add/ip/index.php b/web/add/ip/index.php
@@ -16,6 +16,12 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_ip'])) $errors[] = __('ip address');
     if (empty($_POST['v_netmask'])) $errors[] = __('netmask');
@@ -61,7 +67,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('IP_CREATED_OK',$_POST['v_ip'],$_POST['v_ip']);
+        $_SESSION['ok_msg'] = __('IP_CREATED_OK',htmlentities($_POST['v_ip']),htmlentities($_POST['v_ip']));
         unset($v_ip);
         unset($v_netmask);
         unset($v_name);

diff --git a/web/add/mail/index.php b/web/add/mail/index.php
@@ -11,6 +11,12 @@
 // Check POST request for mail domain
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_domain'])) $errors[] = __('domain');
     if (!empty($errors[0])) {
@@ -59,7 +65,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('MAIL_DOMAIN_CREATED_OK',$_POST['v_domain'],$_POST['v_domain']);
+        $_SESSION['ok_msg'] = __('MAIL_DOMAIN_CREATED_OK',htmlentities($_POST['v_domain']),htmlentities($_POST['v_domain']));
         unset($v_domain);
     }
 }
@@ -68,6 +74,12 @@
 // Check POST request for mail account
 if (!empty($_POST['ok_acc'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_domain'])) $errors[] = __('domain');
     if (empty($_POST['v_account'])) $errors[] = __('account');
@@ -156,7 +168,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('MAIL_ACCOUNT_CREATED_OK',strtolower($_POST['v_account']),$_POST[v_domain],strtolower($_POST['v_account']),$_POST[v_domain]);
+        $_SESSION['ok_msg'] = __('MAIL_ACCOUNT_CREATED_OK',htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST[v_domain]),htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST[v_domain]));
         $_SESSION['ok_msg'] .= " / <a href=".$webmail." target='_blank'>" . __('open webmail') . "</a>";
         unset($v_account);
         unset($v_password);

diff --git a/web/add/package/index.php b/web/add/package/index.php
@@ -16,10 +16,16 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_package'])) $errors[] = __('package');
     if (empty($_POST['v_web_template'])) $errors[] = __('web template');
-    if (!empty($_SESSION['WEB_SYSTEM'])) {
+    if (!empty($_SESSION['WEB_BACKEND'])) {
         if (empty($_POST['v_backend_template'])) $errors[] = __('backend template');
     }
     if (!empty($_SESSION['PROXY_SYSTEM'])) {
@@ -132,7 +138,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('PACKAGE_CREATED_OK',$_POST['v_package'],$_POST['v_package']);
+        $_SESSION['ok_msg'] = __('PACKAGE_CREATED_OK',htmlentities($_POST['v_package']),htmlentities($_POST['v_package']));
         unset($v_package);
     }
 

diff --git a/web/add/user/index.php b/web/add/user/index.php
@@ -16,6 +16,12 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_username'])) $errors[] = __('user');
     if (empty($_POST['v_password'])) $errors[] = __('password');
@@ -93,8 +99,8 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('USER_CREATED_OK',$_POST['v_username'],$_POST['v_username']);
-        $_SESSION['ok_msg'] .= " / <a href=/login/?loginas=".$_POST['v_username'].">" . __('login as') ." ".$_POST['v_username']. "</a>";
+        $_SESSION['ok_msg'] = __('USER_CREATED_OK',htmlentities($_POST['v_username']),htmlentities($_POST['v_username']));
+        $_SESSION['ok_msg'] .= " / <a href=/login/?loginas=".htmlentities($_POST['v_username']).">" . __('login as') ." ".htmlentities($_POST['v_username']). "</a>";
         unset($v_username);
         unset($v_password);
         unset($v_email);

diff --git a/web/add/web/index.php b/web/add/web/index.php
@@ -10,6 +10,12 @@
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check for empty fields
     if (empty($_POST['v_domain'])) $errors[] = __('domain');
     if (empty($_POST['v_ip'])) $errors[] = __('ip');
@@ -314,7 +320,7 @@
         }
 
         if (!empty($_SESSION['error_msg']) && $domain_added) {
-            $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',$_POST[v_domain],$_POST[v_domain]);
+            $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
             $_SESSION['flash_error_msg'] = $_SESSION['error_msg'];
             $url = '/edit/web/?domain='.strtolower(preg_replace("/^www\./i", "", $_POST['v_domain']));
             header('Location: ' . $url);
@@ -324,7 +330,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',$_POST[v_domain],$_POST[v_domain]);
+        $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
         unset($v_domain);
         unset($v_aliases);
         unset($v_ssl);

diff --git a/web/bulk/backup/index.php b/web/bulk/backup/index.php
@@ -9,6 +9,12 @@
 $backup = $_POST['backup'];
 $action = $_POST['action'];
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 switch ($action) {
     case 'delete': $cmd='v-delete-user-backup';
         break;

diff --git a/web/bulk/cron/index.php b/web/bulk/cron/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $job = $_POST['job'];
 $action = $_POST['action'];
 

diff --git a/web/bulk/db/index.php b/web/bulk/db/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $database = $_POST['database'];
 $action = $_POST['action'];
 

diff --git a/web/bulk/dns/index.php b/web/bulk/dns/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $domain = $_POST['domain'];
 $record = $_POST['record'];
 $action = $_POST['action'];

diff --git a/web/bulk/firewall/banlist/index.php b/web/bulk/firewall/banlist/index.php
@@ -7,6 +7,12 @@
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 // Check user
 if ($_SESSION['user'] != 'admin') {
     header("Location: /list/user");

diff --git a/web/bulk/firewall/index.php b/web/bulk/firewall/index.php
@@ -7,6 +7,12 @@
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 // Check user
 if ($_SESSION['user'] != 'admin') {
     header("Location: /list/user");

diff --git a/web/bulk/ip/index.php b/web/bulk/ip/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $ip = $_POST['ip'];
 $action = $_POST['action'];
 

diff --git a/web/bulk/mail/index.php b/web/bulk/mail/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $domain = $_POST['domain'];
 $account = $_POST['account'];
 $action = $_POST['action'];

diff --git a/web/bulk/package/index.php b/web/bulk/package/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $package = $_POST['package'];
 $action = $_POST['action'];
 

diff --git a/web/bulk/restore/index.php b/web/bulk/restore/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $action = $_POST['action'];
 $backup = escapeshellarg($_POST['backup']);
 

diff --git a/web/bulk/service/index.php b/web/bulk/service/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $service = $_POST['service'];
 $action = $_POST['action'];
 

diff --git a/web/bulk/user/index.php b/web/bulk/user/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 $user = $_POST['user'];
 $action = $_POST['action'];