Mirrors
/
postfixadmin
mirror of https://github.com/postfixadmin/postfixadmin.git
3
0
Fork 0
Code Releases Activity
Browse Source

delete.php: 

- require token for CSRF protection, see
  https://sourceforge.net/p/postfixadmin/bugs/269/

login.php, users/login.php:
- create token and store it in $_SESSION

templates/*:
- add token to all delete.php links

templates/list-virtual_alias_domain.tpl:
- change delete confirmation dialog to contain "from->target"


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1564 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 12 years ago
parent
4847173755
commit
1a79b2798e
9 changed files with 16 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      delete.php
  2. 2
      login.php
  3. 3
      templates/adminlistadmin.tpl
  4. 3
      templates/adminlistdomain.tpl
  5. 3
      templates/fetchmail.tpl
  6. 2
      templates/list-virtual_alias.tpl
  7. 3
      templates/list-virtual_alias_domain.tpl
  8. 3
      templates/list-virtual_mailbox.tpl
  9. 1
      users/login.php

2
delete.php
View File

@ -19,6 +19,8 @@
require_once('common.php');
if (safeget('token') != $_SESSION['PFA_token']) die('Invalid token!');
$username = authentication_get_username(); # enforce login
$id = safeget('delete');

2
login.php
View File

@ -53,6 +53,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
$_SESSION['sessid']['roles'][] = 'admin';
$_SESSION['sessid']['username'] = $fUsername;
$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
# they've logged in, so see if they are a domain admin, as well.
if (!$h->init($fUsername)) {

3
templates/adminlistadmin.tpl
View File

@ -20,7 +20,8 @@
<td>{$admin.modified}</td>
<td><a href="{#url_edit_admin#}&amp;edit={$admin.username|escape:"url"}&amp;active={if ($admin.active==0)}1{else}0{/if}">{$admin._active}</a></td>
<td><a href="{#url_edit_admin#}&edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_delete#}?table=admin&amp;delete={$admin.username|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
<td><a href="{#url_delete#}?table=admin&amp;delete={$admin.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
</tr>
{/foreach}
</table>

3
templates/adminlistdomain.tpl
View File

@ -35,7 +35,8 @@
<td>{$domain.modified}</td>
<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}&amp;active={if ($domain.active==0)}1{else}0{/if}">{$domain._active}</a></td>
<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_delete#}?table=domain&amp;delete={$domain.domain|escape:"url"}" onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>
<td><a href="{#url_delete#}?table=domain&amp;delete={$domain.domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>
</tr>
{/foreach}
</table>

3
templates/fetchmail.tpl
View File

@ -39,7 +39,8 @@
<td nowrap="nowrap">{$row.date}&nbsp;</td>
<td nowrap="nowrap">{$row.returned_text}--x--&nbsp;</td> <!-- Inhalt mit if auswerten! -->
<td><a href="fetchmail.php?edit={$row.id|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="fetchmail.php?delete={$row.id|escape:"url"}" onclick="return confirm('{$PALANG.confirm}{$PALANG.pMenu_fetchmail}:{$row.src_user}@{$row.src_server}')">{$PALANG.del}</a></td>
<td><a href="fetchmail.php?delete={$row.id|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm('{$PALANG.confirm}{$PALANG.pMenu_fetchmail}:{$row.src_user}@{$row.src_server}')">{$PALANG.del}</a></td>
</tr>
{/foreach}
{/if}

2
templates/list-virtual_alias.tpl
View File

@ -40,7 +40,7 @@
<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}"
>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="delete.php?table=alias&amp;delete={$item.address|escape:"url"}"
<td><a href="delete.php?table=alias&amp;delete={$item.address|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.aliases}: {$item.address}');">{$PALANG.del}</a></td>
{else}
<td>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</td>

3
templates/list-virtual_alias_domain.tpl
View File

@ -32,7 +32,8 @@
<td>{$item.modified}</td>
<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_delete#}?table=aliasdomain&amp;delete={$item.alias_domain|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain}');">{$PALANG.del}</a></td>
<td><a href="{#url_delete#}?table=aliasdomain&amp;delete={$item.alias_domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain} -&gt; {$item.target_domain}');">{$PALANG.del}</a></td>
</tr>
{/foreach}
{/if}

3
templates/list-virtual_mailbox.tpl
View File

@ -87,7 +87,8 @@
<td><a href="edit.php?table=alias&amp;edit={$item.username|escape:"url"}">{$PALANG.alias}</a></td>
{/if}
<td><a href="edit.php?table=mailbox&amp;edit={$item.username|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="delete.php?table=mailbox&amp;delete={$item.username|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
<td><a href="delete.php?table=mailbox&amp;delete={$item.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
</tr>
{/foreach}
</table>

1
users/login.php
View File

@ -48,6 +48,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
$_SESSION['sessid']['roles'] = array();
$_SESSION['sessid']['roles'][] = 'user';
$_SESSION['sessid']['username'] = $fUsername;
$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
header("Location: main.php");
exit;
}

Write Preview
Loading…
Cancel
Save