Skip to content

Commit

Permalink
Batch actions are sent as post instead of get to prevent malicious us…
Browse files Browse the repository at this point in the history 
…ers from sending an action url to an admin user
  • Loading branch information
@ignacionelson
ignacionelson committed Jan 6, 2022
1 parent 328dfa8 commit afc564d
Show file tree
Hide file tree
Showing 23 changed files with 356 additions and 310 deletions.
84 changes: 42 additions & 42 deletions actions-log.php
View file
Expand Up @@ -14,50 +14,50 @@
$page_title = __('Recent activities log','cftp_admin');

include_once ADMIN_VIEWS_DIR . DS . 'header.php';
?>
<div class="row">
<div class="col-xs-12">
<?php
/**
* Apply the corresponding action to the selected users.
*/
if (isset($_GET['action']) && $_GET['action'] != 'none') {
/** Continue only if 1 or more users were selected. */
switch($_GET['action']) {
case 'delete':
$current_url = get_form_action_with_existing_parameters(basename(__FILE__));

$selected_actions = $_GET['batch'];
$delete_ids = implode( ',', $selected_actions );
/**
* Apply the corresponding action to the selected users.
*/
if (isset($_POST['action']) && $_POST['action'] != 'none') {
/** Continue only if 1 or more users were selected. */
switch ($_POST['action']) {
case 'delete':
$selected_actions = $_POST['batch'];
$delete_ids = implode( ',', $selected_actions );

if ( !empty( $_GET['batch'] ) ) {
$statement = $dbh->prepare("DELETE FROM " . TABLE_LOG . " WHERE FIND_IN_SET(id, :delete)");
$params = array(
':delete' => $delete_ids,
);
$statement->execute( $params );

$msg = __('The selected activities were deleted.','cftp_admin');
echo system_message('success',$msg);
}
else {
$msg = __('Please select at least one activity.','cftp_admin');
echo system_message('danger',$msg);
}
break;
case 'log_clear':
$keep = '5,6,7,8,37';
$statement = $dbh->prepare("DELETE FROM " . TABLE_LOG . " WHERE NOT ( FIND_IN_SET(action, :keep) ) ");
$params = array(
':keep' => $keep,
);
$statement->execute( $params );
if ( !empty( $_POST['batch'] ) ) {
$statement = $dbh->prepare("DELETE FROM " . TABLE_LOG . " WHERE FIND_IN_SET(id, :delete)");
$params = array(
':delete' => $delete_ids,
);
$statement->execute( $params );

$msg = __('The log was cleared. Only data used for statistics remained. You can delete them manually if you want.','cftp_admin');
echo system_message('success',$msg);
break;
}
}
$flash->success(__('The selected activities were deleted.', 'cftp_admin'));
}
else {
$flash->error(__('Please select at least one activity.', 'cftp_admin'));
}
break;
case 'log_clear':
$keep = '5,6,7,8,37';
$statement = $dbh->prepare("DELETE FROM " . TABLE_LOG . " WHERE NOT ( FIND_IN_SET(action, :keep) ) ");
$params = array(
':keep' => $keep,
);
$statement->execute( $params );

$flash->success(__('The log was cleared. Only data used for statistics remained. You can delete them manually if you want.', 'cftp_admin'));
echo system_message('success',$msg);
break;
}

ps_redirect($current_url);
}
?>
<div class="row">
<div class="col-xs-12">
<?php
$params = array();

/**
Expand Down Expand Up @@ -144,8 +144,8 @@
</div>
</div>

<form action="actions-log.php" name="actions_list" method="get" class="form-inline batch_actions">
<?php form_add_existing_parameters(); ?>
<form action="<?php echo $current_url; ?>" name="actions_list" method="post" class="form-inline batch_actions">
<?php addCsrf(); ?>
<div class="form_actions_right">
<div class="form_actions">
<div class="form_actions_submit">
Expand Down
47 changes: 24 additions & 23 deletions categories.php
View file
Expand Up @@ -16,6 +16,7 @@
$page_id = 'categories_list';

include_once ADMIN_VIEWS_DIR . DS . 'header.php';
$current_url = get_form_action_with_existing_parameters(basename(__FILE__));

/**
* Messages set when adding or editing a category
Expand All @@ -40,32 +41,32 @@
/**
* Apply the corresponding action to the selected categories.
*/
if ( isset( $_GET['action'] ) ) {
if ( $_GET['action'] != 'none' ) {
if ( isset( $_POST['action'] ) ) {
if ( $_POST['action'] != 'none' ) {
/** Continue only if 1 or more categories were selected. */
if ( !empty($_GET['batch'] ) ) {
if ( !empty($_POST['batch'] ) ) {
/**
* Make a list of categories to avoid individual queries.
*/
$selected_categories = $_GET['batch'];
$selected_categories = $_POST['batch'];

if (count($selected_categories) < 1 ) {
$msg = __('Please select at least one category.','cftp_admin');
echo system_message('danger',$msg);
}

switch($_GET['action']) {
case 'delete':
foreach ($selected_categories as $category_id) {
$category = new \ProjectSend\Classes\Categories();
$category->get($category_id);
$delete_category = $category->delete();
}

$msg = __('The selected categories were deleted.','cftp_admin');
echo system_message('success',$msg);
$flash->error(__('Please select at least one category.', 'cftp_admin'));
} else {
switch ($_POST['action']) {
case 'delete':
foreach ($selected_categories as $category_id) {
$category = new \ProjectSend\Classes\Categories();
$category->get($category_id);
$delete_category = $category->delete();
}

$flash->success(__('The selected categories were deleted.', 'cftp_admin'));
break;
}
}

ps_redirect($current_url);
}
}
}
Expand Down Expand Up @@ -184,8 +185,8 @@
</div>
</div>

<form action="categories.php" class="form-inline batch_actions" name="selected_categories" id="selected_categories" method="get">

<form action="<?php echo $current_url; ?>" class="form-inline batch_actions" name="selected_categories" id="selected_categories" method="post">
<?php addCsrf(); ?>
<div class="form_actions_right form-inline">
<div class="form_actions">
<div class="form_actions_submit">
Expand All @@ -194,9 +195,9 @@
<select name="action" id="action" class="txtfield form-control">
<?php
$actions_options = array(
'none' => __('Select action','cftp_admin'),
'delete' => __('Delete','cftp_admin'),
);
'none' => __('Select action','cftp_admin'),
'delete' => __('Delete','cftp_admin'),
);
foreach ( $actions_options as $val => $text ) {
?>
<option value="<?php echo $val; ?>"><?php echo $text; ?></option>
Expand Down
2 changes: 1 addition & 1 deletion clients-membership-requests.php
View file
Expand Up @@ -167,7 +167,7 @@
</div>

<form action="<?php echo $this_page; ?>" name="requests_list" method="post" class="form-inline batch_actions">
<input type="hidden" name="csrf_token" value="<?php echo getCsrfToken(); ?>" />
<?php addCsrf(); ?>
<input type="hidden" name="denied" value="<?php echo (isset($_GET['denied']) && is_numeric($_GET['denied'])) ? $_GET['denied'] : 0; ?>" />

<?php form_add_existing_parameters(); ?>
Expand Down
2 changes: 1 addition & 1 deletion clients-requests.php
View file
Expand Up @@ -218,7 +218,7 @@
</div>

<form action="<?php echo $this_page; ?>" name="clients_list" method="post" class="form-inline batch_actions">
<input type="hidden" name="csrf_token" value="<?php echo getCsrfToken(); ?>" />
<?php addCsrf(); ?>

<?php form_add_existing_parameters(); ?>
<div class="form_actions_right">
Expand Down
120 changes: 60 additions & 60 deletions clients.php
View file
Expand Up @@ -13,68 +13,68 @@

$page_title = __('Clients Administration','cftp_admin');
include_once ADMIN_VIEWS_DIR . DS . 'header.php';
?>
<div class="row">
<div class="col-xs-12">
<?php
/**
* Apply the corresponding action to the selected clients.
*/
if(isset($_GET['action'])) {
/** Continue only if 1 or more clients were selected. */
if(!empty($_GET['batch'])) {
$selected_clients = $_GET['batch'];

switch($_GET['action']) {
case 'activate':
/**
* Changes the value on the "active" column value on the database.
* Inactive clients are not allowed to log in.
*/
foreach ($selected_clients as $work_client) {
$this_client = new \ProjectSend\Classes\Users();
if ($this_client->get($work_client)) {
$hide_user = $this_client->setActiveStatus(1);
}
}

$msg = __('The selected clients were marked as active.','cftp_admin');
echo system_message('success',$msg);
break;
case 'deactivate':
/**
* Reverse of the previous action. Setting the value to 0 means
* that the client is inactive.
*/
foreach ($selected_clients as $work_client) {
$this_client = new \ProjectSend\Classes\Users();
if ($this_client->get($work_client)) {
$hide_user = $this_client->setActiveStatus(0);
}
}

$msg = __('The selected clients were marked as inactive.','cftp_admin');
echo system_message('success',$msg);
break;
case 'delete':
foreach ($selected_clients as $work_client) {
$this_client = new \ProjectSend\Classes\Users();
if ($this_client->get($work_client)) {
$delete_user = $this_client->delete();
}
}

$msg = __('The selected clients were deleted.','cftp_admin');
echo system_message('success',$msg);
break;
$current_url = get_form_action_with_existing_parameters(basename(__FILE__));

/**
* Apply the corresponding action to the selected clients.
*/
if (isset($_POST['action'])) {
/** Continue only if 1 or more clients were selected. */
if (!empty($_POST['batch'])) {
$selected_clients = $_POST['batch'];

switch ($_POST['action']) {
case 'activate':
/**
* Changes the value on the "active" column value on the database.
* Inactive clients are not allowed to log in.
*/
foreach ($selected_clients as $work_client) {
$this_client = new \ProjectSend\Classes\Users();
if ($this_client->get($work_client)) {
$hide_user = $this_client->setActiveStatus(1);
}
}

$flash->success(__('The selected clients were marked as active.', 'cftp_admin'));
break;
case 'deactivate':
/**
* Reverse of the previous action. Setting the value to 0 means
* that the client is inactive.
*/
foreach ($selected_clients as $work_client) {
$this_client = new \ProjectSend\Classes\Users();
if ($this_client->get($work_client)) {
$hide_user = $this_client->setActiveStatus(0);
}
}

$flash->success(__('The selected clients were marked as inactive.', 'cftp_admin'));
break;
case 'delete':
foreach ($selected_clients as $work_client) {
$this_client = new \ProjectSend\Classes\Users();
if ($this_client->get($work_client)) {
$delete_user = $this_client->delete();
}
}
}
else {
$msg = __('Please select at least one client.','cftp_admin');
echo system_message('danger',$msg);
}

$flash->success(__('The selected clients were deleted.', 'cftp_admin'));
break;
}
}
else {
$flash->error(__('Please select at least one client.', 'cftp_admin'));
}

ps_redirect($current_url);
}
?>
<div class="row">
<div class="col-xs-12">
<?php
/** Query the clients */
$params = array();

Expand Down Expand Up @@ -155,8 +155,8 @@
</div>
</div>

<form action="clients.php" name="clients_list" method="get" class="form-inline batch_actions">
<?php form_add_existing_parameters(); ?>
<form action="<?php echo $current_url; ?>" name="clients_list" method="post" class="form-inline batch_actions">
<?php addCsrf(); ?>
<div class="form_actions_right">
<div class="form_actions">
<div class="form_actions_submit">
Expand Down
2 changes: 1 addition & 1 deletion email-templates.php
View file
Expand Up @@ -343,7 +343,7 @@


<form action="email-templates.php" name="templatesform" method="post" enctype="multipart/form-data" class="form-horizontal">
<input type="hidden" name="csrf_token" value="<?php echo getCsrfToken(); ?>" />
<?php addCsrf(); ?>
<input type="hidden" name="section" value="<?php echo $section; ?>">

<?php
Expand Down
2 changes: 1 addition & 1 deletion email-test.php
View file
Expand Up @@ -30,7 +30,7 @@
<div class="white-box">
<div class="white-box-interior">
<form action="email-test.php" name="email_test" method="post" enctype="multipart/form-data" class="form-horizontal">
<input type="hidden" name="csrf_token" value="<?php echo getCsrfToken(); ?>" />
<?php addCsrf(); ?>
<input type="hidden" name="section" value="<?php echo $section; ?>">

<?php if ($_POST) { ?>
Expand Down

0 comments on commit afc564d

Please sign in to comment.