From 8362ed49f019f75c3358060fd87b6539af22b59c Mon Sep 17 00:00:00 2001 From: Seth Date: Sat, 25 Sep 2021 13:38:34 -0400 Subject: [PATCH] Add CSRF to batch forms --- app/controllers/batch/EditorController.php | 6 +++++- app/controllers/batch/MediaImportController.php | 6 +++++- app/controllers/batch/MetadataImportController.php | 6 +++++- .../default/views/batch/mediaimport/import_options_html.php | 4 ++-- .../views/batch/metadataimport/importer_run_html.php | 4 ++-- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/app/controllers/batch/EditorController.php b/app/controllers/batch/EditorController.php index 8e6752656f..c0acd86162 100644 --- a/app/controllers/batch/EditorController.php +++ b/app/controllers/batch/EditorController.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2012-2013 Whirl-i-Gig + * Copyright 2012-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -112,6 +112,10 @@ public function Edit($pa_values=null, $pa_options=null) { * @param array $pa_options Array of options passed through to _initView and saveBundlesForScreen() */ public function Save($pa_options=null) { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + $this->Edit(); + return; + } if (!is_array($pa_options)) { $pa_options = array(); } list($vn_set_id, $t_set, $t_subject, $t_ui) = $this->_initView($pa_options); diff --git a/app/controllers/batch/MediaImportController.php b/app/controllers/batch/MediaImportController.php index 86b23765d0..e5b3307370 100644 --- a/app/controllers/batch/MediaImportController.php +++ b/app/controllers/batch/MediaImportController.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2012-2015 Whirl-i-Gig + * Copyright 2012-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -207,6 +207,10 @@ public function Index($pa_values=null, $pa_options=null) { * @param array $pa_options Array of options passed through to _initView and saveBundlesForScreen() */ public function Save($pa_options=null) { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + $this->Index(); + return; + } global $g_ui_locale_id; if (!is_array($pa_options)) { $pa_options = array(); } diff --git a/app/controllers/batch/MetadataImportController.php b/app/controllers/batch/MetadataImportController.php index cb903a2908..a5eb76eeeb 100644 --- a/app/controllers/batch/MetadataImportController.php +++ b/app/controllers/batch/MetadataImportController.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2012-2016 Whirl-i-Gig + * Copyright 2012-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -161,6 +161,10 @@ public function Run() { * */ public function ImportData() { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + $this->Index(); + return; + } global $g_ui_locale_id; $t_importer = $this->getImporterInstance(); diff --git a/themes/default/views/batch/mediaimport/import_options_html.php b/themes/default/views/batch/mediaimport/import_options_html.php index 780dc20ae7..5ed33111b7 100644 --- a/themes/default/views/batch/mediaimport/import_options_html.php +++ b/themes/default/views/batch/mediaimport/import_options_html.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2012-2015 Whirl-i-Gig + * Copyright 2012-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -49,7 +49,7 @@
request, 'Save/'.$this->request->getActionExtra(), 'caBatchMediaImportForm', null, 'POST', 'multipart/form-data', '_top', array('noCSRFToken' => true, 'disableUnsavedChangesWarning' => true, 'noTimestamp' => true)); + print caFormTag($this->request, 'Save/'.$this->request->getActionExtra(), 'caBatchMediaImportForm', null, 'POST', 'multipart/form-data', '_top', array('noCSRFToken' => false, 'disableUnsavedChangesWarning' => true, 'noTimestamp' => true)); print caHTMLHiddenInput('import_target', array('value' => $this->getVar('import_target'))); ?>
diff --git a/themes/default/views/batch/metadataimport/importer_run_html.php b/themes/default/views/batch/metadataimport/importer_run_html.php index 38967297ee..eeb1f626c6 100644 --- a/themes/default/views/batch/metadataimport/importer_run_html.php +++ b/themes/default/views/batch/metadataimport/importer_run_html.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2013-2016 Whirl-i-Gig + * Copyright 2013-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -38,7 +38,7 @@ ?>
request, 'ImportData/'.$this->request->getActionExtra(), 'caBatchMetadataImportForm', null, 'POST', 'multipart/form-data', '_top', array('noCSRFToken' => true, 'disableUnsavedChangesWarning' => true, 'noTimestamp' => true)); + print caFormTag($this->request, 'ImportData/'.$this->request->getActionExtra(), 'caBatchMetadataImportForm', null, 'POST', 'multipart/form-data', '_top', array('noCSRFToken' => false, 'disableUnsavedChangesWarning' => true, 'noTimestamp' => true)); ?>