Merge branch 'release/1.0.18'

pagekit · Jan 20, 2020 · 95446c5 · 95446c5
2 parents 8fc2c99 + 9f1c039
commit 95446c5
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 6 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -3,7 +3,6 @@ language: php
 sudo: false
 
 php:
-    - 5.5
     - 5.6
     - 7.0
 
@@ -19,4 +18,4 @@ script:
 matrix:
     allow_failures:
         - php: 7.0
-    fast_finish: true
+    fast_finish: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.0.18 (January 20, 2020)
+
+### Security
+- CSRF vulnerability in Finder, discovered by Christian Bortone
+
 ## 1.0.17 (July 11, 2019)
 
 ### Added

diff --git a/app/system/config.php b/app/system/config.php
@@ -4,7 +4,7 @@
 
     'application' => [
 
-        'version' => '1.0.17'
+        'version' => '1.0.18'
 
     ],
 

diff --git a/app/system/modules/finder/src/Controller/FinderController.php b/app/system/modules/finder/src/Controller/FinderController.php
@@ -58,7 +58,7 @@ public function indexAction($path)
     }
 
     /**
-     * @Request({"name"})
+     * @Request({"name"}, csrf=true)
      */
     public function createFolderAction($name)
     {
@@ -91,7 +91,7 @@ public function createFolderAction($name)
     }
 
     /**
-     * @Request({"oldname", "newname"})
+     * @Request({"oldname", "newname"}, csrf=true)
      */
     public function renameAction($oldname, $newname)
     {
@@ -115,7 +115,7 @@ public function renameAction($oldname, $newname)
     }
 
     /**
-     * @Request({"names": "array"})
+     * @Request({"names": "array"}, csrf=true)
      */
     public function removeFilesAction($names)
     {
@@ -142,6 +142,9 @@ public function removeFilesAction($names)
         return $this->success(__('Removed selected.'));
     }
 
+    /**
+     * @Request(csrf=true)
+     */
     public function uploadAction()
     {
         try {