diff options
author | Andrew Dolgov <[email protected]> | 2011-12-26 12:02:52 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2011-12-26 12:02:52 +0400 |
commit | 8484ce22584b8714622833adcc7ebfe3ef9cf90e (patch) | |
tree | 057d7a64c3af60e2389d519ba19e476b5fbe6212 /classes | |
parent | 036cd3a4106cf2eee0be72f0695458dfb517976b (diff) |
experimental CSRF protection
Diffstat (limited to 'classes')
-rw-r--r-- | classes/article.php | 6 | ||||
-rw-r--r-- | classes/feeds.php | 6 | ||||
-rw-r--r-- | classes/handler.php | 4 | ||||
-rw-r--r-- | classes/pref_feeds.php | 7 | ||||
-rw-r--r-- | classes/pref_filters.php | 6 | ||||
-rw-r--r-- | classes/pref_instances.php | 6 | ||||
-rw-r--r-- | classes/pref_labels.php | 6 | ||||
-rw-r--r-- | classes/pref_prefs.php | 6 | ||||
-rw-r--r-- | classes/pref_users.php | 7 | ||||
-rw-r--r-- | classes/rpc.php | 6 |
10 files changed, 59 insertions, 1 deletions
diff --git a/classes/article.php b/classes/article.php index 90ca129b9..30f0c7d10 100644 --- a/classes/article.php +++ b/classes/article.php @@ -1,6 +1,12 @@ <?php
class Article extends Protected_Handler {
+ function csrf_ignore($method) {
+ $csrf_ignored = array("redirect");
+
+ return array_search($method, $csrf_ignored) !== false;
+ }
+
function redirect() {
$id = db_escape_string($_REQUEST['id']);
diff --git a/classes/feeds.php b/classes/feeds.php index 3626e9fbc..6b498ac00 100644 --- a/classes/feeds.php +++ b/classes/feeds.php @@ -1,6 +1,12 @@ <?php
class Feeds extends Protected_Handler {
+ function csrf_ignore($method) {
+ $csrf_ignored = array("index");
+
+ return array_search($method, $csrf_ignored) !== false;
+ }
+
private function feedlist_init_cat($cat_id, $hidden = false) {
$obj = array();
$cat_id = (int) $cat_id;
diff --git a/classes/handler.php b/classes/handler.php index 53b52ea03..404b8306b 100644 --- a/classes/handler.php +++ b/classes/handler.php @@ -8,6 +8,10 @@ class Handler { $this->args = $args; } + function csrf_ignore($method) { + return true; + } + function before() { return true; } diff --git a/classes/pref_feeds.php b/classes/pref_feeds.php index 5df5eb939..b83abd789 100644 --- a/classes/pref_feeds.php +++ b/classes/pref_feeds.php @@ -1,5 +1,12 @@ <?php class Pref_Feeds extends Protected_Handler { + + function csrf_ignore($method) { + $csrf_ignored = array("index", "getfeedtree", "add", "editcats", "editfeed"); + + return array_search($method, $csrf_ignored) !== false; + } + function batch_edit_cbox($elem, $label = false) { print "<input type=\"checkbox\" title=\"".__("Check to enable field")."\" onchange=\"dijit.byId('feedEditDlg').toggleField(this, '$elem', '$label')\">"; diff --git a/classes/pref_filters.php b/classes/pref_filters.php index d953a8d1d..4ab12410f 100644 --- a/classes/pref_filters.php +++ b/classes/pref_filters.php @@ -1,6 +1,12 @@ <?php class Pref_Filters extends Protected_Handler { + function csrf_ignore($method) { + $csrf_ignored = array("index", "getfiltertree", "edit"); + + return array_search($method, $csrf_ignored) !== false; + } + function filter_test($filter_type, $reg_exp, $action_id, $action_param, $filter_param, $inverse, $feed_id) { diff --git a/classes/pref_instances.php b/classes/pref_instances.php index 893d2b6bf..aae5bbafb 100644 --- a/classes/pref_instances.php +++ b/classes/pref_instances.php @@ -1,6 +1,12 @@ <?php class Pref_Instances extends Protected_Handler { + function csrf_ignore($method) { + $csrf_ignored = array("index", "edit"); + + return array_search($method, $csrf_ignored) !== false; + } + function before() { if (parent::before()) { if ($_SESSION["access_level"] < 10) { diff --git a/classes/pref_labels.php b/classes/pref_labels.php index 0d60731f3..951ae45ed 100644 --- a/classes/pref_labels.php +++ b/classes/pref_labels.php @@ -1,6 +1,12 @@ <?php class Pref_Labels extends Protected_Handler { + function csrf_ignore($method) { + $csrf_ignored = array("index", "getlabeltree", "edit"); + + return array_search($method, $csrf_ignored) !== false; + } + function edit() { $label_id = db_escape_string($_REQUEST['id']); diff --git a/classes/pref_prefs.php b/classes/pref_prefs.php index 5a216d2b1..03e39caa5 100644 --- a/classes/pref_prefs.php +++ b/classes/pref_prefs.php @@ -1,6 +1,12 @@ <?php class Pref_Prefs extends Protected_Handler { + function csrf_ignore($method) { + $csrf_ignored = array("index"); + + return array_search($method, $csrf_ignored) !== false; + } + function changepassword() { $old_pw = $_POST["old_password"]; diff --git a/classes/pref_users.php b/classes/pref_users.php index b9d162fd2..fe32ce14c 100644 --- a/classes/pref_users.php +++ b/classes/pref_users.php @@ -1,6 +1,5 @@ <?php class Pref_Users extends Protected_Handler { - function before() { if (parent::before()) { if ($_SESSION["access_level"] < 10) { @@ -12,6 +11,12 @@ class Pref_Users extends Protected_Handler { return false; } + function csrf_ignore($method) { + $csrf_ignored = array("index"); + + return array_search($method, $csrf_ignored) !== false; + } + function userdetails() { header("Content-Type: text/xml"); diff --git a/classes/rpc.php b/classes/rpc.php index 8145b0407..4cdaef935 100644 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -1,6 +1,12 @@ <?php class RPC extends Protected_Handler { + function csrf_ignore($method) { + $csrf_ignored = array("sanitycheck", "buttonplugin"); + + return array_search($method, $csrf_ignored) !== false; + } + function setprofile() { $id = db_escape_string($_REQUEST["id"]); |