SECURITY: CSRF protection in Private Messaging, which is a really broken feature and should get the TinyMCE treatment. *sigh* Reported by Secunia.
authorDan Fuhry <dan@enanocms.org>
Tue, 12 Jul 2011 22:21:08 -0400
changeset 1348 2e635e51deb0
parent 1347 d8983d3a8468
child 1349 3f7bf1a22b45
SECURITY: CSRF protection in Private Messaging, which is a really broken feature and should get the TinyMCE treatment. *sigh* Reported by Secunia.
plugins/PrivateMessages.php
--- a/plugins/PrivateMessages.php	Tue Jul 12 22:15:18 2011 -0400
+++ b/plugins/PrivateMessages.php	Tue Jul 12 22:21:08 2011 -0400
@@ -153,6 +153,7 @@
 			if ( $argv[1]=='Send' && isset($_POST['_send']) )
 			{
 				// Check each POST DATA parameter...
+				csrf_request_confirm();
 				$errors = array();
 				if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == ''))
 				{
@@ -195,6 +196,7 @@
 			}
 			else if ( $argv[1] == 'Send' && isset($_POST['_savedraft'] ) )
 			{
+				csrf_request_confirm();
 				$errors = array();
 				if ( !isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '') )
 				{
@@ -303,6 +305,7 @@
 				}
 				?>
 				<br />
+				<input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" />
 				<div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4">
 					<tr>
 						<th colspan="2"><?php echo $lang->get('privmsgs_lbl_compose_th'); ?></th>
@@ -416,6 +419,7 @@
 			}
 			else if ( isset($_POST['_savedraft']) )
 			{
+				csrf_request_confirm();
 				// Check each POST DATA parameter...
 				$errors = array();
 				if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == ''))
@@ -467,6 +471,7 @@
 					echo '<div class="info-box">' . $lang->get('privmsgs_msg_draft_saved') . '</div>';
 				}
 				?>
+				<input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" />
 				<br />
 				<div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4">
 					<tr><th colspan="2"><?php echo $lang->get('privmsgs_lbl_edit_th'); ?></th></tr>
@@ -648,7 +653,9 @@
 										<input type="submit" name="deleteall" value="' . $lang->get('privmsgs_btn_delete_all') . '" />
 									</th>
 								</tr>';
-					echo '</table></div></form>
+					echo '</table></div>
+					<input type="hidden" name="cstok" value="' . $session->csrf_token . '" />
+					</form>
 					<br />
 					<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/').'">' . $lang->get('privmsgs_btn_compose') . '</a>
 					</td></tr></table>';
@@ -657,6 +664,7 @@
 			$template->footer();
 			break;
 		case 'PostHandler':
+			csrf_request_confirm();
 			$fname = $db->escape(strtolower($_POST['folder']));
 			if($fname=='drafts' || $fname=='outbox')
 			{