Skip to content
Snippets Groups Projects
Commit a1d4fd48 authored by Till Brehm's avatar Till Brehm
Browse files

More fixes for issue #5415

parent 58b34185
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
interface/web/admin/software_package_del.php
+ 3
0
View file @ a1d4fd48
...@@ -36,6 +36,9 @@ $app->auth->check_module_permissions('admin'); ...@@ -36,6 +36,9 @@ $app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_packages'); $app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Check CSRF Token
$app->auth->csrf_token_check('GET');
$software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']); $software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']);
if($software_update_inst_id > 0) { if($software_update_inst_id > 0) {
......
interface/web/admin/software_package_install.php
+ 7
0
View file @ a1d4fd48
...@@ -38,6 +38,13 @@ $app->auth->check_security_permissions('admin_allow_software_packages'); ...@@ -38,6 +38,13 @@ $app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators //* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.'); if(!$app->auth->is_admin()) die('only allowed for administrators.');
// Check CSRF Token
if(count($_POST) > 0) {
$app->auth->csrf_token_check('POST');
} else {
$app->auth->csrf_token_check('GET');
}
$package_name = $_REQUEST['package']; $package_name = $_REQUEST['package'];
$install_server_id = $app->functions->intval($_REQUEST['server_id']); $install_server_id = $app->functions->intval($_REQUEST['server_id']);
$install_key = trim($_REQUEST['install_key']); $install_key = trim($_REQUEST['install_key']);
......
interface/web/admin/software_package_list.php
+ 6
1
View file @ a1d4fd48
...@@ -145,6 +145,9 @@ $app->uses('tpl'); ...@@ -145,6 +145,9 @@ $app->uses('tpl');
$app->tpl->newTemplate("form.tpl.htm"); $app->tpl->newTemplate("form.tpl.htm");
$app->tpl->setInclude('content_tpl', 'templates/software_package_list.htm'); $app->tpl->setInclude('content_tpl', 'templates/software_package_list.htm');
$csrf_token = $app->auth->csrf_token_get('software_package_list');
$_csrf_id = $csrf_token['csrf_id'];
$_csrf_key = $csrf_token['csrf_key'];
$servers = $app->db->queryAllRecords('SELECT server_id, server_name FROM server ORDER BY server_name'); $servers = $app->db->queryAllRecords('SELECT server_id, server_name FROM server ORDER BY server_name');
$packages = $app->db->queryAllRecords('SELECT * FROM software_package'); $packages = $app->db->queryAllRecords('SELECT * FROM software_package');
...@@ -167,12 +170,14 @@ if(is_array($packages) && count($packages) > 0) { ...@@ -167,12 +170,14 @@ if(is_array($packages) && count($packages) > 0) {
if($p['package_installable'] == 'no') { if($p['package_installable'] == 'no') {
$installed_txt .= $s['server_name'].": ".$app->lng("Package can not be installed.")."<br />"; $installed_txt .= $s['server_name'].": ".$app->lng("Package can not be installed.")."<br />";
} else { } else {
$installed_txt .= $s['server_name'].": <a href=\"#\" data-load-content=\"admin/software_package_install.php?package=".$p["package_name"]."&server_id=".$s["server_id"]."\">Install now</a><br />"; $installed_txt .= $s['server_name'].": <a href=\"#\" data-load-content=\"admin/software_package_install.php?package=".$p["package_name"]."&server_id=".$s["server_id"]."&_csrf_key=".$_csrf_key."&_csrf_id=".$_csrf_id."\">Install now</a><br />";
} }
} }
} }
$packages[$key]['software_update_inst_id'] = intval($inst['software_update_inst_id']); $packages[$key]['software_update_inst_id'] = intval($inst['software_update_inst_id']);
$packages[$key]['installed'] = $installed_txt; $packages[$key]['installed'] = $installed_txt;
$packages[$key]['csrf_id'] = $_csrf_id;
$packages[$key]['csrf_key'] = $_csrf_key;
} }
$app->tpl->setVar('has_packages', 1); $app->tpl->setVar('has_packages', 1);
} else { } else {
......
interface/web/admin/templates/software_package_list.htm
+ 1
1
View file @ a1d4fd48
...@@ -33,7 +33,7 @@ ...@@ -33,7 +33,7 @@
<td>ispapp{tmpl_var name="package_id"}</td> <td>ispapp{tmpl_var name="package_id"}</td>
<td class="text-right"> <td class="text-right">
<a class="btn btn-default formbutton-default formbutton-narrow" data-load-content="admin/software_package_edit.php?id={tmpl_var name='package_id'}"><span class="icon icon-edit"></span></a> <a class="btn btn-default formbutton-default formbutton-narrow" data-load-content="admin/software_package_edit.php?id={tmpl_var name='package_id'}"><span class="icon icon-edit"></span></a>
<a class="btn btn-default formbutton-danger formbutton-narrow" href="javascript: ISPConfig.confirm_action('admin/software_package_del.php?software_update_inst_id={tmpl_var name='software_update_inst_id'}','{tmpl_var name='delete_confirmation'}');"><span class="icon icon-delete"></span></a> <a class="btn btn-default formbutton-danger formbutton-narrow" href="javascript: ISPConfig.confirm_action('admin/software_package_del.php?software_update_inst_id={tmpl_var name='software_update_inst_id'}&_csrf_id={tmpl_var name='csrf_id'}&_csrf_key={tmpl_var name='csrf_key'}','{tmpl_var name='delete_confirmation'}');"><span class="icon icon-delete"></span></a>
</td> </td>
</tr> </tr>
</tmpl_if> </tmpl_if>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment