From 9bc2c5a52e8fd0bf09774a36c40174ae758f6f98 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 8 Sep 2020 10:42:25 -0400 Subject: [PATCH] Normalize use of form security tokens in Admin modules # Conflicts: # src/Module/Admin/Logs/Settings.php --- src/Module/Admin/Addons/Details.php | 6 ++-- src/Module/Admin/Addons/Index.php | 4 +-- src/Module/Admin/Blocklist/Contact.php | 6 ++-- src/Module/Admin/Blocklist/Server.php | 4 +-- src/Module/Admin/Features.php | 4 +-- src/Module/Admin/Item/Delete.php | 4 +-- src/Module/Admin/Logs/Settings.php | 37 +++++++++++++------------ src/Module/Admin/Site.php | 2 +- src/Module/Admin/Themes/Index.php | 4 +-- src/Module/Admin/Tos.php | 6 ++-- src/Module/Admin/Users.php | 4 +-- view/templates/admin/addons/details.tpl | 1 + 12 files changed, 43 insertions(+), 39 deletions(-) diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php index 139275cfe..85b17130c 100644 --- a/src/Module/Admin/Addons/Details.php +++ b/src/Module/Admin/Addons/Details.php @@ -42,6 +42,8 @@ class Details extends BaseAdmin include_once 'addon/' . $addon . '/' . $addon . '.php'; if (function_exists($addon . '_addon_admin_post')) { + self::checkFormSecurityTokenRedirectOnError($redirect, 'admin_addons_details'); + $func = $addon . '_addon_admin_post'; $func(DI::app()); } @@ -66,7 +68,7 @@ class Details extends BaseAdmin } if (($_GET['action'] ?? '') == 'toggle') { - self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); + self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons_details', 't'); // Toggle addon status if (Addon::isEnabled($addon)) { @@ -124,7 +126,7 @@ class Details extends BaseAdmin '$screenshot' => '', '$readme' => $readme, - '$form_security_token' => self::getFormSecurityToken('admin_addons'), + '$form_security_token' => self::getFormSecurityToken('admin_addons_details'), ]); } } diff --git a/src/Module/Admin/Addons/Index.php b/src/Module/Admin/Addons/Index.php index 3049cdc6a..959f9d04a 100644 --- a/src/Module/Admin/Addons/Index.php +++ b/src/Module/Admin/Addons/Index.php @@ -34,7 +34,7 @@ class Index extends BaseAdmin // reload active themes if (!empty($_GET['action'])) { - parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); + self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); switch ($_GET['action']) { case 'reload': @@ -73,7 +73,7 @@ class Index extends BaseAdmin '$addons' => $addons, '$pcount' => count($addons), '$noplugshint' => DI::l10n()->t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'), - '$form_security_token' => parent::getFormSecurityToken('admin_addons'), + '$form_security_token' => self::getFormSecurityToken('admin_addons'), ]); } } diff --git a/src/Module/Admin/Blocklist/Contact.php b/src/Module/Admin/Blocklist/Contact.php index 889362323..5a7d138b2 100644 --- a/src/Module/Admin/Blocklist/Contact.php +++ b/src/Module/Admin/Blocklist/Contact.php @@ -34,12 +34,12 @@ class Contact extends BaseAdmin { parent::post($parameters); + self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock'); + $contact_url = $_POST['contact_url'] ?? ''; $block_reason = $_POST['contact_block_reason'] ?? ''; $contacts = $_POST['contacts'] ?? []; - parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock'); - if (!empty($_POST['page_contactblock_block'])) { $contact_id = Model\Contact::getIdForURL($contact_url); if ($contact_id) { @@ -89,7 +89,7 @@ class Contact extends BaseAdmin '$h_newblock' => DI::l10n()->t('Block New Remote Contact'), '$th_contacts' => [DI::l10n()->t('Photo'), DI::l10n()->t('Name'), DI::l10n()->t('Reason')], - '$form_security_token' => parent::getFormSecurityToken('admin_contactblock'), + '$form_security_token' => self::getFormSecurityToken('admin_contactblock'), // values // '$baseurl' => DI::baseUrl()->get(true), diff --git a/src/Module/Admin/Blocklist/Server.php b/src/Module/Admin/Blocklist/Server.php index 4f19ca361..b4be591e7 100644 --- a/src/Module/Admin/Blocklist/Server.php +++ b/src/Module/Admin/Blocklist/Server.php @@ -36,7 +36,7 @@ class Server extends BaseAdmin return; } - parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist'); + self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist'); if (!empty($_POST['page_blocklist_save'])) { // Add new item to blocklist @@ -108,7 +108,7 @@ class Server extends BaseAdmin '$entries' => $blocklistform, '$baseurl' => DI::baseUrl()->get(true), '$confirm_delete' => DI::l10n()->t('Delete entry from blocklist?'), - '$form_security_token' => parent::getFormSecurityToken("admin_blocklist") + '$form_security_token' => self::getFormSecurityToken("admin_blocklist") ]); } } diff --git a/src/Module/Admin/Features.php b/src/Module/Admin/Features.php index a97bc0e7b..51ba9140e 100644 --- a/src/Module/Admin/Features.php +++ b/src/Module/Admin/Features.php @@ -32,7 +32,7 @@ class Features extends BaseAdmin { parent::post($parameters); - parent::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features'); + self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features'); $features = Feature::get(false); @@ -80,7 +80,7 @@ class Features extends BaseAdmin $tpl = Renderer::getMarkupTemplate('admin/features.tpl'); $o = Renderer::replaceMacros($tpl, [ - '$form_security_token' => parent::getFormSecurityToken("admin_manage_features"), + '$form_security_token' => self::getFormSecurityToken("admin_manage_features"), '$baseurl' => DI::baseUrl()->get(true), '$title' => DI::l10n()->t('Manage Additional Features'), '$features' => $features, diff --git a/src/Module/Admin/Item/Delete.php b/src/Module/Admin/Item/Delete.php index 0ad20f97c..028e228d3 100644 --- a/src/Module/Admin/Item/Delete.php +++ b/src/Module/Admin/Item/Delete.php @@ -37,7 +37,7 @@ class Delete extends BaseAdmin return; } - parent::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem'); + self::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem'); if (!empty($_POST['page_deleteitem_submit'])) { $guid = trim(Strings::escapeTags($_POST['deleteitemguid'])); @@ -68,7 +68,7 @@ class Delete extends BaseAdmin '$intro1' => DI::l10n()->t('On this page you can delete an item from your node. If the item is a top level posting, the entire thread will be deleted.'), '$intro2' => DI::l10n()->t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'), '$deleteitemguid' => ['deleteitemguid', DI::l10n()->t("GUID"), '', DI::l10n()->t("The GUID of the item you want to delete."), 'required', 'autofocus'], - '$form_security_token' => parent::getFormSecurityToken("admin_deleteitem") + '$form_security_token' => self::getFormSecurityToken("admin_deleteitem") ]); } } diff --git a/src/Module/Admin/Logs/Settings.php b/src/Module/Admin/Logs/Settings.php index 5158108e4..0b5993798 100644 --- a/src/Module/Admin/Logs/Settings.php +++ b/src/Module/Admin/Logs/Settings.php @@ -33,25 +33,26 @@ class Settings extends BaseAdmin { parent::post($parameters); - if (!empty($_POST['page_logs'])) { - parent::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs'); - - $logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : ''); - $debugging = !empty($_POST['debugging']); - $loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR; - - if (is_file($logfile) && - !is_writeable($logfile)) { - notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile)); - return; - } - - DI::config()->set('system', 'logfile', $logfile); - DI::config()->set('system', 'debugging', $debugging); - DI::config()->set('system', 'loglevel', $loglevel); + if (empty($_POST['page_logs'])) { + return; } - info(DI::l10n()->t("Log settings updated.")); + self::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs'); + + $logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : ''); + $debugging = !empty($_POST['debugging']); + $loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR; + + if (is_file($logfile) && + !is_writeable($logfile)) { + notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile)); + return; + } + + DI::config()->set('system', 'logfile', $logfile); + DI::config()->set('system', 'debugging', $debugging); + DI::config()->set('system', 'loglevel', $loglevel); + DI::baseUrl()->redirect('admin/logs'); } @@ -86,7 +87,7 @@ class Settings extends BaseAdmin '$debugging' => ['debugging', DI::l10n()->t("Enable Debugging"), DI::config()->get('system', 'debugging'), ""], '$logfile' => ['logfile', DI::l10n()->t("Log file"), DI::config()->get('system', 'logfile'), DI::l10n()->t("Must be writable by web server. Relative to your Friendica top-level directory.")], '$loglevel' => ['loglevel', DI::l10n()->t("Log level"), DI::config()->get('system', 'loglevel'), "", $log_choices], - '$form_security_token' => parent::getFormSecurityToken("admin_logs"), + '$form_security_token' => self::getFormSecurityToken("admin_logs"), '$phpheader' => DI::l10n()->t("PHP logging"), '$phphint' => DI::l10n()->t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."), '$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');", diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php index 2e16cc657..6380f3d93 100644 --- a/src/Module/Admin/Site.php +++ b/src/Module/Admin/Site.php @@ -718,7 +718,7 @@ class Site extends BaseAdmin '$relay_server_tags' => ['relay_server_tags', DI::l10n()->t('Server tags'), DI::config()->get('system', 'relay_server_tags'), DI::l10n()->t('Comma separated list of tags for the "tags" subscription.')], '$relay_user_tags' => ['relay_user_tags', DI::l10n()->t('Allow user tags'), DI::config()->get('system', 'relay_user_tags', true), DI::l10n()->t('If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".')], - '$form_security_token' => parent::getFormSecurityToken('admin_site'), + '$form_security_token' => self::getFormSecurityToken('admin_site'), '$relocate_button' => DI::l10n()->t('Start Relocation'), ]); } diff --git a/src/Module/Admin/Themes/Index.php b/src/Module/Admin/Themes/Index.php index 955ddadc7..f25d64b47 100644 --- a/src/Module/Admin/Themes/Index.php +++ b/src/Module/Admin/Themes/Index.php @@ -37,7 +37,7 @@ class Index extends BaseAdmin // reload active themes if (!empty($_GET['action'])) { - parent::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't'); + self::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't'); switch ($_GET['action']) { case 'reload': @@ -119,7 +119,7 @@ class Index extends BaseAdmin '$noplugshint' => DI::l10n()->t('No themes found on the system. They should be placed in %1$s', '/view/themes'), '$experimental' => DI::l10n()->t('[Experimental]'), '$unsupported' => DI::l10n()->t('[Unsupported]'), - '$form_security_token' => parent::getFormSecurityToken('admin_themes'), + '$form_security_token' => self::getFormSecurityToken('admin_themes'), ]); } } diff --git a/src/Module/Admin/Tos.php b/src/Module/Admin/Tos.php index 811a0eb25..fef199c35 100644 --- a/src/Module/Admin/Tos.php +++ b/src/Module/Admin/Tos.php @@ -31,12 +31,12 @@ class Tos extends BaseAdmin { parent::post($parameters); - parent::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos'); - if (empty($_POST['page_tos'])) { return; } + self::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos'); + $displaytos = !empty($_POST['displaytos']); $displayprivstatement = !empty($_POST['displayprivstatement']); $tostext = (!empty($_POST['tostext']) ? strip_tags(trim($_POST['tostext'])) : ''); @@ -64,7 +64,7 @@ class Tos extends BaseAdmin '$preview' => DI::l10n()->t('Privacy Statement Preview'), '$privtext' => $tos->privacy_complete, '$tostext' => ['tostext', DI::l10n()->t('The Terms of Service'), DI::config()->get('system', 'tostext'), DI::l10n()->t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')], - '$form_security_token' => parent::getFormSecurityToken('admin_tos'), + '$form_security_token' => self::getFormSecurityToken('admin_tos'), '$submit' => DI::l10n()->t('Save Settings'), ]); } diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php index f82f9f8c7..751b618af 100644 --- a/src/Module/Admin/Users.php +++ b/src/Module/Admin/Users.php @@ -36,6 +36,8 @@ class Users extends BaseAdmin { parent::post($parameters); + self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users'); + $pending = $_POST['pending'] ?? []; $users = $_POST['user'] ?? []; $nu_name = $_POST['new_user_name'] ?? ''; @@ -43,8 +45,6 @@ class Users extends BaseAdmin $nu_email = $_POST['new_user_email'] ?? ''; $nu_language = DI::config()->get('system', 'language'); - parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users'); - if ($nu_name !== '' && $nu_email !== '' && $nu_nickname !== '') { try { User::createMinimal($nu_name, $nu_email, $nu_nickname, $nu_language); diff --git a/view/templates/admin/addons/details.tpl b/view/templates/admin/addons/details.tpl index f5bb165e0..81625fecf 100644 --- a/view/templates/admin/addons/details.tpl +++ b/view/templates/admin/addons/details.tpl @@ -24,6 +24,7 @@ {{if $admin_form}}

{{$settings}}

+ {{$admin_form nofilter}}
{{/if}}