From: <mo...@us...> - 2004-04-02 20:21:26
|
Update of /cvsroot/tikiwiki/tiki/lib/smarty_tiki In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv32466/lib/smarty_tiki Added Files: Tag: BRANCH-1-8 outputfilter.ticket.php Log Message: added a plugin for adding ticket in each form and internal url --- NEW FILE: outputfilter.ticket.php --- <?php /* * Smarty plugin * ------------------------------------------------------------- * File: postfilter.ticket.php * Type: postfilter * Name: ticket * Version: 1.0 * Date: Mar 31, 2004 * Purpose: Protect against CSRF web applications vulbnerability * http://openacs.org/forums/message-view?message_id=32884 * for details about that security issue * Install: Drop into the plugin directory, call * $smarty->load_filter('post','ticket'); * from application. * Create a table in your db (or hack any other way) for example * create table tickets ( user varchar(32), ticket varchar(16)); * Ticket has to be stored there and regenerated at each page * Author: lu...@ti... for idea and concept * mo...@ti... for coding * ------------------------------------------------------------- */ function smarty_outputfilter_ticket($source, &$smarty) { global $ticket; $source = preg_replace("~((<form[^>]*action=(\"|')[^\"']*tiki-[^\"']*(\"|')[^>]*>(\s*))<)~si", '$2<input type="hidden" name="ticket" value="'.$ticket.'" /><', $source); $source = preg_replace("~((href=(\"|')[^\"']*tiki-[^\?\"']*)\?(ticket=[0-9a-z]*&)?([^\"']*(\"|')))~si", '$2?ticket='.$ticket.'&$5', $source); return $source; } ?> |