From: garvinhicking <garvinhicking>
Date: Thu, 20 Apr 2006 13:59:12 +0000 (+0000)
Subject: fix possible xsrf in entry manager
X-Git-Tag: 1.0~39
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=6d7a4ee2864f09938699d550114fdca096b04dbf;p=s9y.git

fix possible xsrf in entry manager
---

diff --git a/docs/NEWS b/docs/NEWS
index 49bba2c..d44d5df 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,9 @@
 Version 1.0 ()
 ------------------------------------------------------------------------
 
+   * Fix another (minor) XSRF for entry manager, thanks to Geoff Johnson
+     (garvinhicking)
+
    * Support "Force Feedburner" option to the syndication plugin to
      let rss.php only be accessible to feedburner and no clients.
      (garvinhicking)
diff --git a/include/admin/entries.inc.php b/include/admin/entries.inc.php
index c7fe843..1430a4f 100644
--- a/include/admin/entries.inc.php
+++ b/include/admin/entries.inc.php
@@ -255,7 +255,7 @@ function serendipity_drawList() {
                         </td>
                         <td align="right">
                             <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=entries&amp;serendipity[adminAction]=edit&amp;serendipity[id]=<?php echo $entry['id']; ?>" title="<?php echo EDIT . ' #' . $entry['id']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT; ?>" /><?php echo EDIT ?></a>
-                            <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=entries&amp;serendipity[adminAction]=delete&amp;serendipity[id]=<?php echo $entry['id']; ?>" title="<?php echo DELETE . ' #' . $entry['id']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE; ?>" /><?php echo DELETE ?></a>
+                            <a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[action]=admin&amp;serendipity[adminModule]=entries&amp;serendipity[adminAction]=delete&amp;serendipity[id]=<?php echo $entry['id']; ?>" title="<?php echo DELETE . ' #' . $entry['id']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE; ?>" /><?php echo DELETE ?></a>
                         </td>
                     </tr>
                 </table>
@@ -437,8 +437,11 @@ switch($serendipity['GET']['adminAction']) {
         break;
 
     case 'doDelete':
-        serendipity_deleteEntry($serendipity['GET']['id']);
-        printf(RIP_ENTRY, $serendipity['GET']['id']);
+        if (!serendipity_checkFormToken()) {
+            break;
+        }
+        serendipity_deleteEntry((int)$serendipity['GET']['id']);
+        printf(RIP_ENTRY, (int)$serendipity['GET']['id']);
         echo '<br />';
 
     case 'editSelect':
@@ -446,13 +449,16 @@ switch($serendipity['GET']['adminAction']) {
         break;
 
     case 'delete':
-        $newLoc = '?serendipity[action]=admin&amp;serendipity[adminModule]=entries&amp;serendipity[adminAction]=doDelete&amp;serendipity[id]=' . $serendipity['GET']['id'];
-        printf(DELETE_SURE, $serendipity['GET']['id']);
+        if (!serendipity_checkFormToken()) {
+            break;
+        }
+        $newLoc = '?' . serendipity_setFormToken('url') . '&amp;serendipity[action]=admin&amp;serendipity[adminModule]=entries&amp;serendipity[adminAction]=doDelete&amp;serendipity[id]=' . (int)$serendipity['GET']['id'];
+        printf(DELETE_SURE, (int)$serendipity['GET']['id']);
 ?>
 <br />
 <br />
 <div>
-    <a href="<?php echo $_SERVER["HTTP_REFERER"]; ?>" class="serendipityPrettyButton"><?php echo NOT_REALLY; ?></a>
+    <a href="<?php echo htmlspecialchars($_SERVER["HTTP_REFERER"]); ?>" class="serendipityPrettyButton"><?php echo NOT_REALLY; ?></a>
     <?php echo str_repeat('&nbsp;', 10); ?>
     <a href="<?php echo $newLoc; ?>" class="serendipityPrettyButton"><?php echo DUMP_IT; ?></a>
 </div>