SF.net SVN: postfixadmin:[1564] trunk
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
SF.net SVN: postfixadmin:[1564] trunk
|
From: <chr...@us...> - 2013-11-10 21:17:20
|
Revision: 1564
http://sourceforge.net/p/postfixadmin/code/1564
Author: christian_boltz
Date: 2013-11-10 21:17:17 +0000 (Sun, 10 Nov 2013)
Log Message:
-----------
delete.php:
- require token for CSRF protection, see
https://sourceforge.net/p/postfixadmin/bugs/269/
login.php, users/login.php:
- create token and store it in $_SESSION
templates/*:
- add token to all delete.php links
templates/list-virtual_alias_domain.tpl:
- change delete confirmation dialog to contain "from->target"
Modified Paths:
--------------
trunk/delete.php
trunk/login.php
trunk/templates/adminlistadmin.tpl
trunk/templates/adminlistdomain.tpl
trunk/templates/fetchmail.tpl
trunk/templates/list-virtual_alias.tpl
trunk/templates/list-virtual_alias_domain.tpl
trunk/templates/list-virtual_mailbox.tpl
trunk/users/login.php
Modified: trunk/delete.php
===================================================================
--- trunk/delete.php 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/delete.php 2013-11-10 21:17:17 UTC (rev 1564)
@@ -19,6 +19,8 @@
require_once('common.php');
+if (safeget('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
$username = authentication_get_username(); # enforce login
$id = safeget('delete');
Modified: trunk/login.php
===================================================================
--- trunk/login.php 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/login.php 2013-11-10 21:17:17 UTC (rev 1564)
@@ -53,6 +53,8 @@
$_SESSION['sessid']['roles'][] = 'admin';
$_SESSION['sessid']['username'] = $fUsername;
+ $_SESSION['PFA_token'] = md5(uniqid(rand(), true));
+
# they've logged in, so see if they are a domain admin, as well.
if (!$h->init($fUsername)) {
Modified: trunk/templates/adminlistadmin.tpl
===================================================================
--- trunk/templates/adminlistadmin.tpl 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/templates/adminlistadmin.tpl 2013-11-10 21:17:17 UTC (rev 1564)
@@ -20,7 +20,8 @@
<td>{$admin.modified}</td>
<td><a href="{#url_edit_admin#}&edit={$admin.username|escape:"url"}&active={if ($admin.active==0)}1{else}0{/if}">{$admin._active}</a></td>
<td><a href="{#url_edit_admin#}&edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
- <td><a href="{#url_delete#}?table=admin&delete={$admin.username|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
+ <td><a href="{#url_delete#}?table=admin&delete={$admin.username|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
+ onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
</tr>
{/foreach}
</table>
Modified: trunk/templates/adminlistdomain.tpl
===================================================================
--- trunk/templates/adminlistdomain.tpl 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/templates/adminlistdomain.tpl 2013-11-10 21:17:17 UTC (rev 1564)
@@ -35,7 +35,8 @@
<td>{$domain.modified}</td>
<td><a href="{#url_edit_domain#}&edit={$domain.domain|escape:"url"}&active={if ($domain.active==0)}1{else}0{/if}">{$domain._active}</a></td>
<td><a href="{#url_edit_domain#}&edit={$domain.domain|escape:"url"}">{$PALANG.edit}</a></td>
- <td><a href="{#url_delete#}?table=domain&delete={$domain.domain|escape:"url"}" onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>
+ <td><a href="{#url_delete#}?table=domain&delete={$domain.domain|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
+ onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>
</tr>
{/foreach}
</table>
Modified: trunk/templates/fetchmail.tpl
===================================================================
--- trunk/templates/fetchmail.tpl 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/templates/fetchmail.tpl 2013-11-10 21:17:17 UTC (rev 1564)
@@ -39,7 +39,8 @@
<td nowrap="nowrap">{$row.date} </td>
<td nowrap="nowrap">{$row.returned_text}--x-- </td> <!-- Inhalt mit if auswerten! -->
<td><a href="fetchmail.php?edit={$row.id|escape:"url"}">{$PALANG.edit}</a></td>
- <td><a href="fetchmail.php?delete={$row.id|escape:"url"}" onclick="return confirm('{$PALANG.confirm}{$PALANG.pMenu_fetchmail}:{$row.src_user}@{$row.src_server}')">{$PALANG.del}</a></td>
+ <td><a href="fetchmail.php?delete={$row.id|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
+ onclick="return confirm('{$PALANG.confirm}{$PALANG.pMenu_fetchmail}:{$row.src_user}@{$row.src_server}')">{$PALANG.del}</a></td>
</tr>
{/foreach}
{/if}
Modified: trunk/templates/list-virtual_alias.tpl
===================================================================
--- trunk/templates/list-virtual_alias.tpl 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/templates/list-virtual_alias.tpl 2013-11-10 21:17:17 UTC (rev 1564)
@@ -40,7 +40,7 @@
<td><a href="{#url_create_alias#}&edit={$item.address|escape:"url"}&active={if ($item.active==0)}1{else}0{/if}"
>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_create_alias#}&edit={$item.address|escape:"url"}">{$PALANG.edit}</a></td>
- <td><a href="delete.php?table=alias&delete={$item.address|escape:"url"}"
+ <td><a href="delete.php?table=alias&delete={$item.address|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.aliases}: {$item.address}');">{$PALANG.del}</a></td>
{else}
<td>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</td>
Modified: trunk/templates/list-virtual_alias_domain.tpl
===================================================================
--- trunk/templates/list-virtual_alias_domain.tpl 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/templates/list-virtual_alias_domain.tpl 2013-11-10 21:17:17 UTC (rev 1564)
@@ -32,7 +32,8 @@
<td>{$item.modified}</td>
<td><a href="{#url_create_alias_domain#}&edit={$item.alias_domain|escape:"url"}&active={if ($item.active==0)}1{else}0{/if}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_create_alias_domain#}&edit={$item.alias_domain|escape:"url"}">{$PALANG.edit}</a></td>
- <td><a href="{#url_delete#}?table=aliasdomain&delete={$item.alias_domain|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain}');">{$PALANG.del}</a></td>
+ <td><a href="{#url_delete#}?table=aliasdomain&delete={$item.alias_domain|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
+ onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain} -> {$item.target_domain}');">{$PALANG.del}</a></td>
</tr>
{/foreach}
{/if}
Modified: trunk/templates/list-virtual_mailbox.tpl
===================================================================
--- trunk/templates/list-virtual_mailbox.tpl 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/templates/list-virtual_mailbox.tpl 2013-11-10 21:17:17 UTC (rev 1564)
@@ -87,7 +87,8 @@
<td><a href="edit.php?table=alias&edit={$item.username|escape:"url"}">{$PALANG.alias}</a></td>
{/if}
<td><a href="edit.php?table=mailbox&edit={$item.username|escape:"url"}">{$PALANG.edit}</a></td>
- <td><a href="delete.php?table=mailbox&delete={$item.username|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
+ <td><a href="delete.php?table=mailbox&delete={$item.username|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
+ onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
</tr>
{/foreach}
</table>
Modified: trunk/users/login.php
===================================================================
--- trunk/users/login.php 2013-11-10 19:52:49 UTC (rev 1563)
+++ trunk/users/login.php 2013-11-10 21:17:17 UTC (rev 1564)
@@ -48,6 +48,7 @@
$_SESSION['sessid']['roles'] = array();
$_SESSION['sessid']['roles'][] = 'user';
$_SESSION['sessid']['username'] = $fUsername;
+ $_SESSION['PFA_token'] = md5(uniqid(rand(), true));
header("Location: main.php");
exit;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
