codes****@googl*****
codes****@googl*****
2008年 9月 22日 (月) 16:42:35 JST
Author: tsuchi000
Date: Mon Sep 22 00:39:35 2008
New Revision: 688
Added:
trunk/plugins/filemgmt/update_20080917.html
Removed:
trunk/plugins/filemgmt/update_20080129.html
Modified:
trunk/plugins/filemgmt/admin/index.php
trunk/plugins/filemgmt/admin/install.php
Log:
filemgmt 再アップ filemgmt_1.5.3jp_1.5
Modified: trunk/plugins/filemgmt/admin/index.php
==============================================================================
--- trunk/plugins/filemgmt/admin/index.php (original)
+++ trunk/plugins/filemgmt/admin/index.php Mon Sep 22 00:39:35 2008
@@ -31,6 +31,7 @@
//
| |
//
+-------------------------------------------------------------------------+
//
+//@@@@@20080917 CSRF checks
require_once("../../../lib-common.php");
include_once($_CONF[path_html]."filemgmt/include/header.php");
@@ -192,6 +193,12 @@
if ($numrows > 1 and $i < $numrows ) {
$i++;
}
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.SEC_createToken().'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= '</table></form></td></tr>';
}
$display .= '</table>';
@@ -223,6 +230,13 @@
$display .= '<tr><td colspan="2"
style="text-align:center;padding:10px;">';
$display .= "<input type=hidden name=cid value=0>\n";
$display .= "<input type=hidden name=op value=addCat>";
+ //@@@@@20080917add CSRF checks ---->
+ $wk_token=SEC_createToken();
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= "<input type=submit
value="._MD_ADD."></td></tr></table><br></form>";
// Add a New Sub-Category
@@ -238,6 +252,12 @@
$display .= $mytree->makeMySelBox('title', 'title') . '</td></tr>';
$display .= '<tr><td colspan="2"
style="text-align:center;padding:10px;">';
$display .= '<input type="hidden" name="op" value="addCat">';
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= "<input type=submit
value="._MD_ADD."></td></tr></table><br></form>";
// Modify Category
$display .= '</td></tr><tr><td>';
@@ -248,6 +268,12 @@
$display .= $mytree->makeMySelBox('title', 'title') . '</td></tr>';
$display .= '<tr><td colspan="2"
style="text-align:center;padding:10px;">';
$display .= '<input type="hidden" name="op" value="modCat">';
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= "<input type=submit
value="._MD_MODIFY."></td></tr></table><br></form>";
}
$display .= '</td></tr></table>';
@@ -292,6 +318,11 @@
$display .= '<tr><td colspan="2"
style="text-align:center;padding:10px;">';
$display .= '<input type="hidden" name="op"
value="addDownload"></input>';
$display .= '<input type="submit" class="button"
value="'._MD_ADD.'"></input>';
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.SEC_createToken().'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
$display .= '</td></tr></table>';
$display .= '</form>';
$display .= COM_endBlock();
@@ -370,6 +401,12 @@
$display .= '<input type="submit" value="'._MD_SUBMIT.'"><span
style="padding-left:15px;padding-right:15px;">';
$display .= '<input type="submit" value="'._MD_DELETE.'" onClick=\'if
(confirm("Delete this file ?")) {this.form.op.value="delDownload";return
true}; return false\'>';
$display .= "</span><input type=button value="._MD_CANCEL."
onclick=\"javascript:history.go(-1)\">";
+ //@@@@@20080917add CSRF checks ---->
+ $wk_token=SEC_createToken();
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
$display .= '</td></tr></table></form>' .LB;
@@ -421,6 +458,12 @@
$cssid = ($cssid == 1) ? 2 : 1;
}
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= '</table></form>' .LB;
// Show Unregistered Users Votes
$result5 = DB_query("SELECT ratingid, rating, ratinghostname,
ratingtimestamp FROM {$_FM_TABLES['filemgmt_votedata']} WHERE lid='$lid'
AND ratinguser=0 ORDER BY ratingtimestamp DESC");
@@ -450,6 +493,11 @@
$cssid = ($cssid == 1) ? 2 : 1;
}
$display .= "<tr><td colspan=\"6\"> <br></td></tr>\n";
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
$display .= "</table></form>";
$display .= CloseTable();
$display .= "<br>";
@@ -515,6 +563,12 @@
$display .= "</td></tr>\n";
$cssid = ($cssid == 1) ? 2 : 1;
}
+ //@@@@@20080917add CSRF checks ---->
+ $wk_token=SEC_createToken();
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.$wk_token.'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
$display .= "</table>";
}
$display .= CloseTable();
@@ -675,6 +729,12 @@
$display .= '<input type="submit" value="'._MD_SAVE.'">';
$display .= '<input type="submit" value="'._MD_DELETE.'" onClick=\'if
(confirm("Delete this file ?")) {this.form.op.value="delCat";return true};
return false\'>';
$display .= " <input type=button value="._MD_CANCEL."
onclick=\"javascript:history.go(-1)\">";
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.SEC_createToken().'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= '</td></tr></table>';
$display .= "</form>";
$display .= COM_endBlock();
@@ -1147,6 +1207,12 @@
$display .= "<input type=\"hidden\" name=\"op\"
value=\"filemgmtConfigChange\">";
$display .= "<input type=\"submit\" value=\""._MD_SAVE."\">";
$display .= " <input type=\"button\" value=\""._MD_CANCEL."\"
onclick=\"javascript:history.go(-1)\">";
+ //@@@@@20080917add CSRF checks ---->
+ $display .= LB;
+ $display .= '<input type="hidden" name="'.CSRF_TOKEN.'"
value="'.SEC_createToken().'"'.XHTML.'>';
+ $display .= LB;
+ //@@@@@20080917add CSRF checks <----
+
$display .= "</td></tr></table>";
$display .= "</form>";
$display .= COM_endBlock();
@@ -1370,6 +1436,41 @@
// Read in the new values
include ($_CONF['path'] .'plugins/filemgmt/filemgmt.php');
}
+
+//@@@@@20080917add CSRF checks ---->
+$op_ary[]="filemgmtConfigChange";//設定:変更を保存
+$op_ary[]="addCat";//カテゴリ:追加
+$op_ary[]="modCatS";//カテゴリ:変更を保存
+$op_ary[]="delCat";//カテゴリ:削除
+$op_ary[]="addDownload";//ファイルを追加:追加
+$op_ary[]= "approve";//ダウンロード:承認
+$op_ary[]= "delNewDownload";//ダウンロード:削除
+$op_ary[]= "ignoreBrokenDownloads";//破損ファイル:無視
+$op_ary[]= "delBrokenDownloads";//破損ファイル:承認
+$op_ary[]= "modDownloadS";//ダウンロード情報変更 :実行
+$op_ary[]= "delDownload";//ダウンロード情報変更 :削除
+$op_ary[]= "delVote";//ダウンロード評価:削除
+
+//case "listBrokenDownloads"://破損ファイル
+//case "modDownload"://ダウンロード情報変更
+//case "filemgmtConfigAdmin"://設定
+//case "categoryConfigAdmin"://カテゴリ
+//case "newfileConfigAdmin"://ファイルを追加
+//case "listNewDownloads"://ダウンロード
+//"modCat"://カテゴリ:編集
+//$op_ary[]= "comment"://**
+//$op_ary[]= "addSubCat"://**
+
+
+if (in_array($op, $op_ary)) {
+ if (!SEC_checkToken()){
+ COM_accessLog("User {$_USER['username']} tried to illegally and
failed CSRF checks. filemgmt $op");
+ echo COM_refresh($_CONF['site_admin_url'].'/plugins.php');
+ exit;
+ }
+}
+//@@@@@20080917add CSRF checks <----
+
switch ($op) {
default:
Modified: trunk/plugins/filemgmt/admin/install.php
==============================================================================
--- trunk/plugins/filemgmt/admin/install.php (original)
+++ trunk/plugins/filemgmt/admin/install.php Mon Sep 22 00:39:35 2008
@@ -42,6 +42,7 @@
//
|
|
//
+---------------------------------------------------------------------------+
//
+//@@@@@20080917 CSRF checks for $gl_version = '1.5'
require_once('../../../lib-common.php');
require_once($_CONF['path'] . 'plugins/filemgmt/config.php');
@@ -55,7 +56,7 @@
$pi_name = 'filemgmt'; // Plugin name
$pi_version = $CONF_FM['version']; // Plugin Version
-$gl_version = '1.4'; // GL Version plugin for
+$gl_version = '1.5'; // GL Version plugin for
@@@@@20080917
$pi_url = 'http://www.portalparts.com'; // Plugin Homepage
@@ -226,6 +227,14 @@
*/
$display = '';
+
+//@@@@@20080917add CSRF checks ---->
+if (!SEC_checkToken()){
+ COM_accessLog("User {$_USER['username']} tried to illegally and failed
CSRF checks. filemgmt install");
+ echo COM_refresh($_CONF['site_admin_url'].'/plugins.php');
+ exit;
+}
+//@@@@@20080917add CSRF checks <----
if ($_REQUEST['action'] == 'uninstall') {
$uninstall_plugin = 'plugin_uninstall_' . $pi_name;
Added: trunk/plugins/filemgmt/update_20080917.html
==============================================================================
--- (empty file)
+++ trunk/plugins/filemgmt/update_20080917.html Mon Sep 22 00:39:35 2008
@@ -0,0 +1,86 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=Shift_JIS"/>
+<meta http-equiv="Content-Style-Type" content="text/css" />
+<title>Geeklog �T�C�g</title>
+</head>
+<p><a href="http://wiki.geeklog.jp/index.php/JapanesefilemgmtFiles">WIKI
JapanesefilemgmtFiles
+</a>
+</p>
+
+<p>Ver1.5.3 <a href="http://www.portalparts.com/filemgmt/index.php?id=50"
class='external text'
title="http://www.portalparts.com/filemgmt/index.php?id=50"
rel="nofollow">ORIGINAL�Ń_�E�����[�h</a><br />
+��{��Ł@�ŏI�X�V��<font color="#ff0000">2008/01/29</font>
+<a href="http://www.geeklog.jp/filemgmt/index.php?id=346" class='external
text' title="http://www.geeklog.jp/filemgmt/index.php?id=346"
rel="nofollow">��{�꒲���Ń_�E�����[�h</a>
+</p>
+<table border="1">
+ <tr>
+ <td>�t�@�C���i�t�H���_�j��</td>
+ <td>�ŏI�ύX��</td>
+ <td>��l</td>
+ </tr>
+ <tr>
+ <td>/language/japanese.php</td>
+ <td>2007/06/16</td>
+ <td>1.5.2���ύX�Ȃ�</td>
+ </tr>
+ <tr>
+ <td>/language/japanese_utf-8.php</td>
+ <td>2007/06/16</td>
+ <td>1.5.2���ύX�Ȃ�</td>
+ </tr>
+ <tr>
+ <td>/public_htm/include/functions.php</td>
+ <td>2008/01/29</td>
+ <td>date format multilang �Ή��@by hiroron</td>
+ </tr>
+ <tr>
+ <td><del>/public_htm/viewcat.php</del></td>
+ <td><del>2006/06/17</del></td>
+ <td><del>�y�[�W�i�r�Q�[�V��������s�ǏC��</del>1.5.3�ʼn��</td>
+ </tr>
+ <tr>
+ <td><del>/templates/sortmenu.thtml</del></td>
+ <td><del>2006/06/16</del></td>
+
<td><del>�^�C�g������N���b�N�����Ƃ��̉�ʂ̓����������������C��</del>1.5.3�ʼn��</td>
+ </tr>
+ <tr>
+ <td>functions.php</td>
+ <td>2008/01/15</td>
+ <td>Wht's New �̕������</td>
+ </tr>
+ <tr>
+ <td>filemgmt.php</td>
+ <td>2007/05/20</td>
+ <td>����l�ύX1.5.2���ύX�Ȃ�</td>
+ </tr>
+ <tr>
+ <td>/sql/filemgmt_sql_install.php</td>
+ <td>2008/01/15</td>
+ <td>�C���X�g�[��������J�e�S���lj�</td>
+ </tr>
+</table>
+<p>1.5�p�lj�C���@�ŏI�X�V��<font color="#ff0000">2008/09/17</font>
+<a href="http://www.geeklog.jp/filemgmt/index.php?id=346" class='external
text' title="http://www.geeklog.jp/filemgmt/index.php?id=353"
rel="nofollow">��{�꒲���Ń_�E�����[�h</a>
+</p>
+<table border="1">
+ <tr>
+ <td>�t�@�C���i�t�H���_�j��</td>
+ <td>�ŏI�ύX��</td>
+ <td>��l</td>
+ </tr>
+ <tr>
+ <td>/admin/index.php</td>
+ <td>2008/09/17</td>
+ <td>CSRF checks</td>
+ </tr>
+ <tr>
+ <td>/admin/install.php</td>
+ <td>2008/09/17</td>
+ <td>CSRF checks</td>
+ </tr>
+</table>
+
+</body>
+</html>
\ No newline at end of file