Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added CSRF checks
  • Loading branch information
LukasReschke committed Jul 20, 2012
1 parent e52ab59 commit 38271de
Show file tree
Hide file tree
Showing 37 changed files with 44 additions and 3 deletions.
1 change: 1 addition & 0 deletions apps/bookmarks/ajax/addBookmark.php
Expand Up @@ -29,6 +29,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('bookmarks');
OCP\JSON::callCheck();

require_once(OC::$APPSROOT . '/apps/bookmarks/bookmarksHelper.php');
$id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']);
Expand Down
1 change: 1 addition & 0 deletions apps/bookmarks/ajax/delBookmark.php
Expand Up @@ -29,6 +29,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('bookmarks');
OCP\JSON::callCheck();

$id = $_POST['id'];
if (!OC_Bookmarks_Bookmarks::deleteUrl($id)){
Expand Down
1 change: 1 addition & 0 deletions apps/bookmarks/ajax/editBookmark.php
Expand Up @@ -29,6 +29,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('bookmarks');
OCP\JSON::callCheck();

$CONFIG_DBTYPE = OCP\Config::getSystemValue( "dbtype", "sqlite" );
if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/calendar/delete.php
Expand Up @@ -9,6 +9,7 @@

OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

$cal = $_POST["calendarid"];
$calendar = OC_Calendar_App::getCalendar($cal, true);
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/calendar/edit.php
Expand Up @@ -9,6 +9,7 @@

OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

$calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions();
$calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true);
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/calendar/new.php
Expand Up @@ -11,6 +11,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

if(trim($_POST['name']) == ''){
OCP\JSON::error(array('message'=>'empty'));
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/calendar/update.php
Expand Up @@ -11,6 +11,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

if(trim($_POST['name']) == ''){
OCP\JSON::error(array('message'=>'empty'));
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/event/delete.php
Expand Up @@ -9,6 +9,7 @@

OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

$id = $_POST['id'];
$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/event/edit.php
Expand Up @@ -9,6 +9,7 @@

OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

$id = $_POST['id'];

Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/event/move.php
Expand Up @@ -7,6 +7,7 @@
*/

OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

$id = $_POST['id'];
$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/event/new.php
Expand Up @@ -10,6 +10,7 @@

OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
OCP\JSON::callCheck();

$errarr = OC_Calendar_Object::validateRequest($_POST);
if($errarr){
Expand Down
1 change: 1 addition & 0 deletions apps/calendar/ajax/import/import.php
Expand Up @@ -8,6 +8,7 @@
//check for calendar rights or create new one
ob_start();
OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();
OCP\App::checkAppEnabled('calendar');
$nl="\r\n";
$comps = array('VEVENT'=>true, 'VTODO'=>true, 'VJOURNAL'=>true);
Expand Down
2 changes: 2 additions & 0 deletions apps/calendar/ajax/settings/setfirstday.php
Expand Up @@ -7,6 +7,8 @@
*/

OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

if(isset($_POST["firstday"])){
OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'firstday', $_POST["firstday"]);
OCP\JSON::success();
Expand Down
2 changes: 2 additions & 0 deletions apps/calendar/ajax/settings/settimeformat.php
Expand Up @@ -7,6 +7,8 @@
*/

OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

if(isset($_POST["timeformat"])){
OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timeformat', $_POST["timeformat"]);
OCP\JSON::success();
Expand Down
3 changes: 2 additions & 1 deletion apps/calendar/ajax/share/changepermission.php
Expand Up @@ -5,7 +5,8 @@
* later.
* See the COPYING-README file.
*/

OCP\JSON::callCheck();

$id = strip_tags($_GET['id']);
$idtype = strip_tags($_GET['idtype']);
$permission = (int) strip_tags($_GET['permission']);
Expand Down
3 changes: 2 additions & 1 deletion apps/calendar/ajax/share/share.php
Expand Up @@ -5,7 +5,8 @@
* later.
* See the COPYING-README file.
*/

OCP\JSON::callCheck();

$id = strip_tags($_GET['id']);
$idtype = strip_tags($_GET['idtype']);
switch($idtype){
Expand Down
3 changes: 2 additions & 1 deletion apps/calendar/ajax/share/unshare.php
Expand Up @@ -5,7 +5,8 @@
* later.
* See the COPYING-README file.
*/

OCP\JSON::callCheck();

$id = strip_tags($_GET['id']);
$idtype = strip_tags($_GET['idtype']);
switch($idtype){
Expand Down
1 change: 1 addition & 0 deletions apps/external/ajax/setsites.php
Expand Up @@ -8,6 +8,7 @@


OCP\User::checkAdminUser();
OCP\JSON::callCheck();

$sites = array();
for ($i = 0; $i < sizeof($_POST['site_name']); $i++) {
Expand Down
1 change: 1 addition & 0 deletions apps/files/ajax/delete.php
Expand Up @@ -4,6 +4,7 @@


OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

// Get data
$dir = stripslashes($_GET["dir"]);
Expand Down
1 change: 1 addition & 0 deletions apps/files/ajax/move.php
Expand Up @@ -4,6 +4,7 @@


OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

// Get data
$dir = stripslashes($_GET["dir"]);
Expand Down
1 change: 1 addition & 0 deletions apps/files/ajax/newfile.php
Expand Up @@ -4,6 +4,7 @@


OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

// Get the params
$dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : '';
Expand Down
1 change: 1 addition & 0 deletions apps/files/ajax/newfolder.php
Expand Up @@ -4,6 +4,7 @@


OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

// Get the params
$dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : '';
Expand Down
1 change: 1 addition & 0 deletions apps/files/ajax/rename.php
Expand Up @@ -4,6 +4,7 @@


OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

// Get data
$dir = stripslashes($_GET["dir"]);
Expand Down
1 change: 1 addition & 0 deletions apps/files_sharing/ajax/email.php
@@ -1,5 +1,6 @@
<?php
OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();
OCP\JSON::checkAppEnabled('files_sharing');
$user = OCP\USER::getUser();
// TODO translations
Expand Down
1 change: 1 addition & 0 deletions apps/files_sharing/ajax/setpermissions.php
Expand Up @@ -3,6 +3,7 @@

OCP\JSON::checkAppEnabled('files_sharing');
OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

$source = '/'.OCP\USER::getUser().'/files'.$_POST['source'];
$uid_shared_with = $_POST['uid_shared_with'];
Expand Down
1 change: 1 addition & 0 deletions apps/files_sharing/ajax/share.php
Expand Up @@ -3,6 +3,7 @@

OCP\JSON::checkAppEnabled('files_sharing');
OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

$userDirectory = '/'.OCP\USER::getUser().'/files';
$sources = explode(';', $_POST['sources']);
Expand Down
2 changes: 2 additions & 0 deletions apps/files_sharing/ajax/toggleresharing.php
@@ -1,5 +1,7 @@
<?php

OCP\JSON::callCheck();

OCP\JSON::checkAppEnabled('files_sharing');
OCP\JSON::checkAdminUser();
if ($_POST['resharing'] == true) {
Expand Down
2 changes: 2 additions & 0 deletions apps/files_sharing/ajax/togglesharewitheveryone.php
@@ -1,5 +1,7 @@
<?php

OCP\JSON::callCheck();

OCP\JSON::checkAppEnabled('files_sharing');
OCP\JSON::checkAdminUser();
if ($_POST['allowSharingWithEveryone'] == true) {
Expand Down
1 change: 1 addition & 0 deletions apps/files_sharing/ajax/unshare.php
Expand Up @@ -3,6 +3,7 @@

OCP\JSON::checkAppEnabled('files_sharing');
OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

$source = '/'.OCP\USER::getUser().'/files'.$_POST['source'];
$uid_shared_with = $_POST['uid_shared_with'];
Expand Down
1 change: 1 addition & 0 deletions apps/files_texteditor/ajax/savefile.php
Expand Up @@ -26,6 +26,7 @@

// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::callCheck();

// Get paramteres
$filecontents = isset($_POST['filecontents']) ? $_POST['filecontents'] : false;
Expand Down
1 change: 1 addition & 0 deletions apps/files_versions/ajax/rollbackVersion.php
@@ -1,6 +1,7 @@
<?php

OCP\JSON::checkAppEnabled('files_versions');
OCP\JSON::callCheck();

require_once('apps/files_versions/versions.php');

Expand Down
1 change: 1 addition & 0 deletions apps/gallery/ajax/createAlbum.php
Expand Up @@ -24,6 +24,7 @@

OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('gallery');
OCP\JSON::callCheck();

OC_Gallery_Album::create(OCP\USER::getUser(), $_GET['album_name']);

Expand Down
1 change: 1 addition & 0 deletions apps/gallery/ajax/sharing.php
Expand Up @@ -22,6 +22,7 @@
*/


OCP\JSON::callCheck();

if (!isset($_GET['token']) || !isset($_GET['operation'])) {
OCP\JSON::error(array('cause' => 'Not enought arguments'));
Expand Down
1 change: 1 addition & 0 deletions apps/tasks/ajax/addtask.php
Expand Up @@ -3,6 +3,7 @@
// Init owncloud
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('tasks');
OCP\JSON::callCheck();

$calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true);
$first_calendar = reset($calendars);
Expand Down
1 change: 1 addition & 0 deletions apps/tasks/ajax/addtaskform.php
Expand Up @@ -3,6 +3,7 @@
// Init owncloud
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('tasks');
OCP\JSON::callCheck();

$calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true);
$category_options = OC_Calendar_App::getCategoryOptions();
Expand Down
1 change: 1 addition & 0 deletions apps/tasks/ajax/delete.php
Expand Up @@ -23,6 +23,7 @@
// Init owncloud
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('tasks');
OCP\JSON::callCheck();

$id = $_POST['id'];
$task = OC_Calendar_App::getEventObject( $id );
Expand Down
1 change: 1 addition & 0 deletions apps/tasks/ajax/edittask.php
Expand Up @@ -3,6 +3,7 @@
// Init owncloud
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('tasks');
OCP\JSON::callCheck();

$l10n = new OC_L10N('tasks');

Expand Down

0 comments on commit 38271de

Please sign in to comment.