fix security problems in draft handling. fixes #3565

dokuwiki · Dec 17, 2021 · 2420159 · 2420159
1 parent ecad51d
commit 2420159
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/inc/Ajax.php b/inc/Ajax.php
@@ -168,8 +168,10 @@ protected function callDraftdel() {
         $client = $_SERVER['REMOTE_USER'];
         if(!$client) $client = clientIP(true);
 
-        $cname = getCacheName($client . $id, '.draft');
-        @unlink($cname);
+        $draft = new Draft($id, $client);
+        if ($draft->isDraftAvailable() && checkSecurityToken()) {
+            $draft->deleteDraft();
+        }
     }
 
     /**

diff --git a/inc/Draft.php b/inc/Draft.php
@@ -25,7 +25,7 @@ public function __construct($ID, $client)
     {
         $this->id = $ID;
         $this->client = $client;
-        $this->cname = getCacheName($client.$ID, '.draft');
+        $this->cname = getCacheName("$client\n$ID", '.draft');
         if(file_exists($this->cname) && file_exists(wikiFN($ID))) {
             if (filemtime($this->cname) < filemtime(wikiFN($ID))) {
                 // remove stale draft

diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js
@@ -210,7 +210,8 @@ function deleteDraft() {
     jQuery.post(DOKU_BASE + 'lib/exe/ajax.php',
         {
             call: 'draftdel',
-            id: $dwform.find('input[name=id]').val()
+            id: $dwform.find('input[name=id]').val(),
+            sectok: $dwform.find('input[name=sectok]').val()
         }
     );
 }