chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Settings: Add $form->protect + redirect to the same page is token is not valid

Browse Source
pull/3948/head
Julio 4 years ago
parent 5ed552cd63
commit e757c63ac8
2 changed files with 15 additions and 3 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 13
      main/admin/settings.lib.php
  2. 5
      main/inc/lib/pear/HTML/QuickForm.php

13
main/admin/settings.lib.php
Unescape View File

@ -159,7 +159,7 @@ function handlePluginUpload()
$form = new FormValidator( $form = new FormValidator(
'plugin_upload', 'plugin_upload',
'post', 'post',
'settings.php?category=Plugins#tabs-4' api_get_path(WEB_CODE_PATH).'admin/settings.php?category=Plugins#tabs-4'
); );
$form->addElement( $form->addElement(
'file', 'file',
@ -397,8 +397,9 @@ function handleStylesheets()
$form = new FormValidator( $form = new FormValidator(
'stylesheet_upload', 'stylesheet_upload',
'post', 'post',
'settings.php?category=Stylesheets#tabs-3' api_get_path().'admin/settings.php?category=Stylesheets#tabs-3'
); );
$form->protect();
$form->addElement( $form->addElement(
'text', 'text',
'name_stylesheet', 'name_stylesheet',
@ -1640,8 +1641,9 @@ function generateSettingsForm($settings, $settings_by_access_list)
$form = new FormValidator( $form = new FormValidator(
'settings', 'settings',
'post', 'post',
'settings.php?category='.Security::remove_XSS($_GET['category']) api_get_path(WEB_CODE_PATH).'admin/settings.php?category='.Security::remove_XSS($_GET['category'])
); );
$form->protect();
$form->addElement( $form->addElement(
'hidden', 'hidden',
@ -1965,6 +1967,11 @@ function generateSettingsForm($settings, $settings_by_access_list)
} }
switch ($row['variable']) { switch ($row['variable']) {
case 'upload_extensions_replace_by':
$default_values[$row['variable']] = api_replace_dangerous_char(
str_replace('.', '', $default_values[$row['variable']])
);
break;
case 'pdf_export_watermark_enable': case 'pdf_export_watermark_enable':
$url = PDF::get_watermark(null); $url = PDF::get_watermark(null);

5
main/inc/lib/pear/HTML/QuickForm.php
Unescape View File

@ -1430,6 +1430,11 @@ class HTML_QuickForm extends HTML_Common
$check = Security::check_token('form', $this); $check = Security::check_token('form', $this);
Security::clear_token(); Security::clear_token();
if (false === $check) { if (false === $check) {
// Redirect to the same URL + show token not validated message.
$url = $this->getAttribute('action');
Display::addFlash(Display::return_message(get_lang('NotValidated'), 'warning'));
api_location($url);
return false; return false;
} }
} }

Write Preview
Loading…
Cancel
Save