From: moodler Date: Thu, 2 Jan 2003 14:49:23 +0000 (+0000) Subject: buggy_referer is dead! Long live buggy_referer! X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=36b4f9852ee379e9cb79656ed1b1123ff50bfbd3;p=moodle.git buggy_referer is dead! Long live buggy_referer! Should be fixed now. As a bonus, I've removed all the uses of HTTP_POST_VARS from all scripts. All forms should use the new data_submitted() function to collect form data (it does the match_referer thing internally now). Much nicer. --- diff --git a/admin/auth.php b/admin/auth.php index 13e5dd29e6..ea3da976e1 100644 --- a/admin/auth.php +++ b/admin/auth.php @@ -16,9 +16,7 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { - - $config = (object)$HTTP_POST_VARS; + if ($config = data_submitted()) { validate_form($config, $err); diff --git a/admin/config.php b/admin/config.php index 67a34d6f0e..48a9b9c1f4 100644 --- a/admin/config.php +++ b/admin/config.php @@ -35,9 +35,7 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { - - $config = (object)$HTTP_POST_VARS; + if ($config = data_submitted()) { validate_form($config, $err); diff --git a/admin/site.php b/admin/site.php index 201f8f5307..b1bdc50e0d 100644 --- a/admin/site.php +++ b/admin/site.php @@ -11,9 +11,7 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { - - $form = (object)$HTTP_POST_VARS; + if ($form = data_submitted()) { validate_form($form, $err); diff --git a/course/categories.php b/course/categories.php index 921455003a..07506a07d8 100644 --- a/course/categories.php +++ b/course/categories.php @@ -31,12 +31,12 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($form = data_submitted()) { $categories = array(); // Peel out all the data from variable names. - foreach ($HTTP_POST_VARS as $key => $val) { + foreach ($form as $key => $val) { if ($key == "new" and $val != "") { $cat->name = $val; if (!insert_record("course_categories", $cat)) { diff --git a/course/edit.php b/course/edit.php index 2552dc8bae..ce988de873 100644 --- a/course/edit.php +++ b/course/edit.php @@ -31,9 +31,7 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { - - $form = (object)$HTTP_POST_VARS; + if ($form = data_submitted()) { $form->startdate = make_timestamp($form->startyear, $form->startmonth, $form->startday); diff --git a/course/editsection.php b/course/editsection.php index beae84dcb3..2d2169cf96 100644 --- a/course/editsection.php +++ b/course/editsection.php @@ -23,11 +23,11 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($form = data_submitted()) { $timenow = time(); - if (! set_field("course_sections", "summary", $summary, "id", $section->id)) { + if (! set_field("course_sections", "summary", $form->summary, "id", $section->id)) { error("Could not update the summary!"); } diff --git a/course/enrol.php b/course/enrol.php index c321f29ed2..5072a703df 100644 --- a/course/enrol.php +++ b/course/enrol.php @@ -11,9 +11,9 @@ error("That's an invalid course id"); } - if (match_referer() && isset($HTTP_POST_VARS)) { // form submitted + if ($form = data_submitted()) { - if ($password == $course->password) { + if ($form->password == $course->password) { if (isguest()) { add_to_log($course->id, "course", "guest", "view.php?id=$course->id", "$REMOTE_ADDR, $REMOTE_HOST"); diff --git a/course/teachers.php b/course/teachers.php index e9b0c5f6b3..e4e992f5c1 100644 --- a/course/teachers.php +++ b/course/teachers.php @@ -19,12 +19,12 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($form = data_submitted()) { $rank = array(); // Peel out all the data from variable names. - foreach ($HTTP_POST_VARS as $key => $val) { + foreach ($form as $key => $val) { if ($key <> "id") { $type = substr($key,0,1); $num = substr($key,1); diff --git a/files/index.php b/files/index.php index 3bcb2aa279..cee36dd0c3 100644 --- a/files/index.php +++ b/files/index.php @@ -83,18 +83,11 @@ $action = ""; } - - if (!match_referer("$baseweb/files/index.php")) { // To stop spoofing - $action="cancel"; - $wdir="/"; - } - if (!$wdir) { $wdir="/"; } - switch ($action) { case "upload": diff --git a/lib/weblib.php b/lib/weblib.php index 51da7cadb3..dc7655adca 100644 --- a/lib/weblib.php +++ b/lib/weblib.php @@ -179,6 +179,30 @@ function match_referer($good_referer = "") { return $good_referer == get_referer(); } +function data_submitted($url="") { +/// Used on most forms in Moodle to check for data +/// Returns the data as an object, if it's found. +/// +/// Checks that submitted POST data exists, and also +/// checks the referer against the given url (it uses +/// the current page if none was specified. + + global $HTTP_POST_VARS, $CFG; + + if (empty($HTTP_POST_VARS)) { + return false; + } else { + if (match_referer($url)) { + return (object)$HTTP_POST_VARS; + } else { + if ($CFG->debug > 10) { + notice("The form did not come from this page! (referer = ".get_referer().")"); + } + return false; + } + } +} + function stri_replace($find, $replace, $string ) { /// This does a search and replace, ignoring case diff --git a/login/change_password.php b/login/change_password.php index d4fbe96192..e9a6071e9f 100644 --- a/login/change_password.php +++ b/login/change_password.php @@ -10,9 +10,7 @@ } } - if (match_referer() && isset($HTTP_POST_VARS)) { - - $frm = (object) $HTTP_POST_VARS; + if ($frm = data_submitted()) { validate_form($frm, $err); diff --git a/login/forgot_password.php b/login/forgot_password.php index 8da98a7be3..94cf72793a 100644 --- a/login/forgot_password.php +++ b/login/forgot_password.php @@ -2,9 +2,7 @@ include("../config.php"); - if (match_referer() && isset($HTTP_POST_VARS)) { - - $frm = (object)$HTTP_POST_VARS; + if ($frm = data_submitted()) { validate_form($frm, $err); diff --git a/login/index.php b/login/index.php index bbaf7d4303..5bb1b83826 100644 --- a/login/index.php +++ b/login/index.php @@ -19,9 +19,8 @@ } - if (match_referer() && isset($HTTP_POST_VARS)) { // form submitted + if ($frm = data_submitted()) { - $frm = (object)$HTTP_POST_VARS; $user = authenticate_user_login($frm->username, $frm->password); update_login_count(); diff --git a/login/signup.php b/login/signup.php index 6911550198..b3fa090b1f 100644 --- a/login/signup.php +++ b/login/signup.php @@ -3,8 +3,7 @@ require("../config.php"); require("../lib/countries.php"); - if (match_referer() && isset($HTTP_POST_VARS)) { - $user = (object) $HTTP_POST_VARS; + if ($user = data_submitted()) { validate_form($user, $err); diff --git a/mod/assignment/submissions.php b/mod/assignment/submissions.php index 42f0be30e8..bd3a9d49fb 100644 --- a/mod/assignment/submissions.php +++ b/mod/assignment/submissions.php @@ -70,12 +70,13 @@ /// If data is being submitted, then process it - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($data = data_submitted()) { $feedback = array(); + $data = (array)$data; // Peel out all the data from variable names. - foreach ($HTTP_POST_VARS as $key => $val) { + foreach ($data as $key => $val) { if ($key <> "id") { $type = substr($key,0,1); $num = substr($key,1); diff --git a/mod/choice/view.php b/mod/choice/view.php index 8dd8a54d4d..ddc66da931 100644 --- a/mod/choice/view.php +++ b/mod/choice/view.php @@ -26,8 +26,7 @@ $answerchecked[$current->answer] = "CHECKED"; } - if (match_referer() && isset($HTTP_POST_VARS)) { // form submitted - $form = (object)$HTTP_POST_VARS; + if ($form = data_submitted()) { $timenow = time(); if ($current) { $newanswer = $current; diff --git a/mod/forum/post.php b/mod/forum/post.php index 3b9ed91c54..7109ed734a 100644 --- a/mod/forum/post.php +++ b/mod/forum/post.php @@ -10,8 +10,7 @@ error(get_string("noguestpost", "forum"), $HTTP_REFERER); } - if (match_referer() && isset($HTTP_POST_VARS)) { // form submitted - $post = (object)$HTTP_POST_VARS; + if ($post = data_submitted()) { $post->subject = strip_tags($post->subject); // Strip all tags $post->message = clean_text($post->message, $post->format); // Clean up any bad tags diff --git a/mod/journal/edit.php b/mod/journal/edit.php index 9cc792b430..63900492f3 100644 --- a/mod/journal/edit.php +++ b/mod/journal/edit.php @@ -27,17 +27,17 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($form = data_submitted()) { $timenow = time(); - $text = clean_text($text, $format); + $form->text = clean_text($form->text, $form->format); if ($entry) { $newentry->id = $entry->id; - $newentry->text = $text; + $newentry->text = $form->text; + $newentry->format = $form->format; $newentry->modified = $timenow; - $newentry->format = $format; if (! update_record("journal_entries", $newentry)) { error("Could not update your journal"); } @@ -45,9 +45,9 @@ } else { $newentry->userid = $USER->id; $newentry->journal = $journal->id; + $newentry->text = $form->text; + $newentry->format = $form->format; $newentry->modified = $timenow; - $newentry->text = $text; - $newentry->format = $format; if (! $newentry->id = insert_record("journal_entries", $newentry)) { error("Could not insert a new journal entry"); } diff --git a/mod/journal/report.php b/mod/journal/report.php index 808975461d..87d9e38da9 100644 --- a/mod/journal/report.php +++ b/mod/journal/report.php @@ -41,12 +41,13 @@ id>$journal->name -> Responses", "", "", true); - if (match_referer() && isset($HTTP_POST_VARS)) { // Feedback submitted + if ($data = data_submitted()) { $feedback = array(); + $data = (array)$data; // Peel out all the data from variable names. - foreach ($HTTP_POST_VARS as $key => $val) { + foreach ($data as $key => $val) { if ($key <> "id") { $type = substr($key,0,1); $num = substr($key,1); diff --git a/mod/quiz/attempt.php b/mod/quiz/attempt.php index a383175654..e7658b2adc 100644 --- a/mod/quiz/attempt.php +++ b/mod/quiz/attempt.php @@ -73,10 +73,11 @@ $available = ($quiz->timeopen < $timenow and $timenow < $quiz->timeclose); /// Check to see if they are submitting answers - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($rawanswers = data_submitted()) { add_to_log($course->id, "quiz", "submit", "attempt.php?id=$cm->id", "$quiz->id"); - $rawanswers = $HTTP_POST_VARS; + $rawanswers = (array)$rawanswers; + unset($rawanswers["q"]); // quiz id if (! count($rawanswers)) { print_heading(get_string("noanswers", "quiz")); diff --git a/mod/quiz/category.php b/mod/quiz/category.php index eb55e6521b..dcc9038659 100644 --- a/mod/quiz/category.php +++ b/mod/quiz/category.php @@ -88,9 +88,9 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { + if ($form = data_submitted()) { - $form = $HTTP_POST_VARS; + $form = (array)$form; // Peel out all the data from variable names. foreach ($form as $key => $val) { diff --git a/mod/quiz/edit.php b/mod/quiz/edit.php index 511055b118..65fce5a20e 100644 --- a/mod/quiz/edit.php +++ b/mod/quiz/edit.php @@ -9,8 +9,9 @@ $destination = ""; } - if (match_referer($destination) && isset($course) && isset($HTTP_POST_VARS)) { // form submitted from mod.html - $modform = (object)$HTTP_POST_VARS; + $modform = data_submitted($destination); + + if ($modform and !empty($modform->course)) { // form submitted from mod.html if (empty($modform->name) or empty($modform->intro)) { error(get_string("filloutallfields"), $HTTP_REFERER); diff --git a/mod/quiz/question.php b/mod/quiz/question.php index 1806adfa97..2fa064c394 100644 --- a/mod/quiz/question.php +++ b/mod/quiz/question.php @@ -94,10 +94,8 @@ } } - if (match_referer() and isset($HTTP_POST_VARS)) { // question submitted + if ($form = data_submitted()) { - $form = (object)$HTTP_POST_VARS; - // First, save the basic question itself $question->name = $form->name; $question->questiontext = $form->questiontext; diff --git a/mod/resource/details.php b/mod/resource/details.php index 36de44678a..d1cd83ead1 100644 --- a/mod/resource/details.php +++ b/mod/resource/details.php @@ -7,8 +7,7 @@ $usehtmleditor = can_use_richtext_editor(); - if (match_referer("$destination") && isset($HTTP_POST_VARS)) { // form submitted - $form = (object)$HTTP_POST_VARS; + if ($form = data_submitted($destination)) { if (! $course = get_record("course", "id", $form->course)) { error("This course doesn't exist"); diff --git a/mod/survey/details.php b/mod/survey/details.php index 5a0625400a..aab504a987 100644 --- a/mod/survey/details.php +++ b/mod/survey/details.php @@ -2,8 +2,7 @@ require("../../config.php"); - if (match_referer("$destination") && isset($HTTP_POST_VARS)) { // form submitted - $form = (object)$HTTP_POST_VARS; + if ($form = data_submitted($destination)) { if (! $course = get_record("course", "id", $form->course)) { error("This course doesn't exist"); diff --git a/user/edit.php b/user/edit.php index 011bc2cdc5..8ff2dc1e40 100644 --- a/user/edit.php +++ b/user/edit.php @@ -42,9 +42,7 @@ /// If data submitted, then process and store. - if (match_referer() && isset($HTTP_POST_VARS)) { - - $usernew = (object)$HTTP_POST_VARS; + if ($usernew = data_submitted()) { $usernew->firstname = strip_tags($usernew->firstname); $usernew->lastname = strip_tags($usernew->lastname);