Skip to content

Commit fe73f9b

Browse files
VINADES.,JSCvuthao
VINADES.,JSC
authored and
vuthao
committed
Fix CSRF for module webtools
1 parent e90846a commit fe73f9b

File tree

6 files changed

+72
-67
lines changed

6 files changed

+72
-67
lines changed

admin/webtools/clearsystem.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ function nv_clear_files($dir, $base)
3939
}
4040
return $dels;
4141
}
42+
$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $admin_info['userid']);
4243

4344
$xtpl = new XTemplate('clearsystem.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file);
4445
$xtpl->assign('NV_BASE_ADMINURL', NV_BASE_ADMINURL);
@@ -47,12 +48,13 @@ function nv_clear_files($dir, $base)
4748
$xtpl->assign('NV_OP_VARIABLE', NV_OP_VARIABLE);
4849
$xtpl->assign('OP', $op);
4950
$xtpl->assign('LANG', $lang_module);
51+
$xtpl->assign('CHECKSS', $checkss);
5052

5153
if (defined('NV_IS_GODADMIN')) {
5254
$xtpl->parse('main.godadmin');
5355
}
5456

55-
if ($nv_Request->isset_request('submit', 'post') and $nv_Request->isset_request('deltype', 'post')) {
57+
if ($checkss == $nv_Request->get_string('checkss', 'post') and $nv_Request->isset_request('deltype', 'post')) {
5658
$deltype = $nv_Request->get_typed_array('deltype', 'post', 'string', array());
5759

5860
nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['clearsystem'], implode(", ", $deltype), $admin_info['userid']);

admin/webtools/config.php

+3-3
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,8 @@
1212
die('Stop!!!');
1313
}
1414

15-
$submit = $nv_Request->get_string('submit', 'post');
16-
17-
if ($submit) {
15+
$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $admin_info['userid']);
16+
if ($checkss == $nv_Request->get_string('checkss', 'post')) {
1817
$array_config_global = array();
1918
$array_config_global['autocheckupdate'] = $nv_Request->get_int('autocheckupdate', 'post', 0);
2019
$array_config_global['autoupdatetime'] = $nv_Request->get_int('autoupdatetime', 'post', 24);
@@ -40,6 +39,7 @@
4039
$xtpl->assign('NV_OP_VARIABLE', NV_OP_VARIABLE);
4140
$xtpl->assign('OP', $op);
4241
$xtpl->assign('LANG', $lang_module);
42+
$xtpl->assign('CHECKSS', $checkss);
4343
$xtpl->assign('AUTOCHECKUPDATE', ($global_config['autocheckupdate']) ? ' checked="checked"' : '');
4444

4545
for ($i = 1; $i <= 100; ++$i) {

admin/webtools/statistics.php

+4-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@
1616

1717
$array_config_global = array();
1818

19-
if ($nv_Request->isset_request('submit', 'post')) {
19+
$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $admin_info['userid']);
20+
if ($checkss == $nv_Request->get_string('checkss', 'post')) {
2021
$array_config_global['online_upd'] = $nv_Request->get_int('online_upd', 'post');
2122
$array_config_global['statistic'] = $nv_Request->get_int('statistic', 'post');
2223
$array_config_global['referer_blocker'] = $nv_Request->get_int('referer_blocker', 'post', 0);
@@ -62,6 +63,8 @@
6263
$xtpl->assign('MODULE_NAME', $module_name);
6364
$xtpl->assign('NV_OP_VARIABLE', NV_OP_VARIABLE);
6465
$xtpl->assign('OP', $op);
66+
$xtpl->assign('CHECKSS', $checkss);
67+
6568
sort($timezone_array);
6669
foreach ($timezone_array as $site_timezone_i) {
6770
$xtpl->assign('TIMEZONEOP', $site_timezone_i);

themes/admin_default/modules/webtools/clearsystem.tpl

+34-34
Original file line numberDiff line numberDiff line change
@@ -1,40 +1,40 @@
11
<!-- BEGIN: main -->
22
<form action="{NV_BASE_ADMINURL}index.php?{NV_LANG_VARIABLE}={NV_LANG_DATA}&{NV_NAME_VARIABLE}={MODULE_NAME}&amp;{NV_OP_VARIABLE}={OP}" method="post">
33
<div class="table-responsive">
4-
<table class="table table-striped table-bordered table-hover">
5-
<thead>
6-
<tr>
7-
<td><strong>{LANG.checkContent}</strong></td>
8-
<td><input type="checkbox" value="yes" name="check_all[]" onclick="nv_checkAll(this.form, 'deltype[]', 'check_all[]',this.checked);" /></td>
9-
</tr>
10-
</thead>
11-
<tfoot>
12-
<tr>
13-
<td colspan="2" class="text-center"><input type="submit" name="submit" value="{LANG.submit}" class="btn btn-primary"/></td>
14-
</tr>
15-
</tfoot>
16-
<tbody>
17-
<tr>
18-
<td><strong>{LANG.clearcache}</strong></td>
19-
<td><input type="checkbox" value="clearcache" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
20-
</tr>
21-
<!-- BEGIN: godadmin -->
22-
<tr>
23-
<td><strong>{LANG.clearfiletemp}</strong></td>
24-
<td><input type="checkbox" value="clearfiletemp" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
25-
</tr>
26-
<tr>
27-
<td><strong>{LANG.clearerrorlogs}</strong></td>
28-
<td><input type="checkbox" value="clearerrorlogs" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
29-
</tr>
30-
<tr>
31-
<td><strong>{LANG.clearip_logs}</strong></td>
32-
<td><input type="checkbox" value="clearip_logs" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
33-
</tr>
34-
<!-- END: godadmin -->
35-
</tbody>
36-
</table>
37-
</div>
4+
<table class="table table-striped table-bordered table-hover">
5+
<thead>
6+
<tr>
7+
<td><strong>{LANG.checkContent}</strong></td>
8+
<td><input type="checkbox" value="yes" name="check_all[]" onclick="nv_checkAll(this.form, 'deltype[]', 'check_all[]',this.checked);" /></td>
9+
</tr>
10+
</thead>
11+
<tfoot>
12+
<tr>
13+
<td colspan="2" class="text-center"><input type="hidden" name="checkss" value="{CHECKSS}" /><input type="submit" name="submit" value="{LANG.submit}" class="btn btn-primary"/></td>
14+
</tr>
15+
</tfoot>
16+
<tbody>
17+
<tr>
18+
<td><strong>{LANG.clearcache}</strong></td>
19+
<td><input type="checkbox" value="clearcache" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
20+
</tr>
21+
<!-- BEGIN: godadmin -->
22+
<tr>
23+
<td><strong>{LANG.clearfiletemp}</strong></td>
24+
<td><input type="checkbox" value="clearfiletemp" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
25+
</tr>
26+
<tr>
27+
<td><strong>{LANG.clearerrorlogs}</strong></td>
28+
<td><input type="checkbox" value="clearerrorlogs" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
29+
</tr>
30+
<tr>
31+
<td><strong>{LANG.clearip_logs}</strong></td>
32+
<td><input type="checkbox" value="clearip_logs" name="deltype[]" onclick="nv_UncheckAll(this.form, 'deltype[]', 'check_all[]', this.checked);" /></td>
33+
</tr>
34+
<!-- END: godadmin -->
35+
</tbody>
36+
</table>
37+
</div>
3838
</form>
3939

4040
<!-- BEGIN: delfile -->

themes/admin_default/modules/webtools/config.tpl

+27-27
Original file line numberDiff line numberDiff line change
@@ -1,31 +1,31 @@
11
<!-- BEGIN: main -->
22
<form action="{NV_BASE_ADMINURL}index.php?{NV_LANG_VARIABLE}={NV_LANG_DATA}&{NV_NAME_VARIABLE}={MODULE_NAME}&amp;{NV_OP_VARIABLE}={OP}" method="post">
3-
<div class="table-responsive">
4-
<table class="table table-striped table-bordered table-hover">
5-
<col style="width:50%" />
6-
<col style="width:50%" />
7-
<tfoot>
8-
<tr>
9-
<td class="text-center" colspan="2"><input type="submit" name="submit" value="{LANG.submit}" class="btn btn-primary"/></td>
10-
</tr>
11-
</tfoot>
12-
<tbody>
13-
<tr>
14-
<td><strong>{LANG.autocheckupdate}</strong></td>
15-
<td><input type="checkbox" value="1" name="autocheckupdate" {AUTOCHECKUPDATE} /></td>
16-
</tr>
17-
<tr>
18-
<td><strong>{LANG.updatetime}</strong></td>
19-
<td>
20-
<select name="autoupdatetime" class="form-control w100 pull-left">
21-
<!-- BEGIN: updatetime -->
22-
<option value="{VALUE}" {SELECTED}>{TEXT} </option>
23-
<!-- END: updatetime -->
24-
</select>
25-
<span class="text-middle">&nbsp;({LANG.hour})</span></td>
26-
</tr>
27-
</tbody>
28-
</table>
29-
</div>
3+
<div class="table-responsive">
4+
<table class="table table-striped table-bordered table-hover">
5+
<col style="width:50%" />
6+
<col style="width:50%" />
7+
<tfoot>
8+
<tr>
9+
<td class="text-center" colspan="2"><input type="hidden" name="checkss" value="{CHECKSS}" /><input type="submit" name="submit" value="{LANG.submit}" class="btn btn-primary"/></td>
10+
</tr>
11+
</tfoot>
12+
<tbody>
13+
<tr>
14+
<td><strong>{LANG.autocheckupdate}</strong></td>
15+
<td><input type="checkbox" value="1" name="autocheckupdate" {AUTOCHECKUPDATE} /></td>
16+
</tr>
17+
<tr>
18+
<td><strong>{LANG.updatetime}</strong></td>
19+
<td>
20+
<select name="autoupdatetime" class="form-control w100 pull-left">
21+
<!-- BEGIN: updatetime -->
22+
<option value="{VALUE}" {SELECTED}>{TEXT} </option>
23+
<!-- END: updatetime -->
24+
</select>
25+
<span class="text-middle">&nbsp;({LANG.hour})</span></td>
26+
</tr>
27+
</tbody>
28+
</table>
29+
</div>
3030
</form>
3131
<!-- END: main -->

themes/admin_default/modules/webtools/statistics.tpl

+1-1
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
<table class="table table-striped table-bordered table-hover">
88
<tfoot>
99
<tr>
10-
<td colspan="2" class="text-center"><input type="submit" name="submit" value="{LANG.submit}" class="btn btn-primary"/></td>
10+
<td colspan="2" class="text-center"><input type="hidden" name="checkss" value="{CHECKSS}" /><input type="submit" name="submit" value="{LANG.submit}" class="btn btn-primary"/></td>
1111
</tr>
1212
</tfoot>
1313
<tbody>

0 commit comments

Comments
 (0)