sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CSRF check in the settings

remotes/origin/stable5
Lukas Reschke 2012-07-07 15:27:04 +07:00
parent ec7bb86b28
commit 777eb1d8b1
13 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
settings/ajax/changepassword.php
Unescape Escape View File

@ -9,6 +9,8 @@ $oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:'';
// Check if we are a user // Check if we are a user
OC_JSON::checkLoggedIn(); OC_JSON::checkLoggedIn();
OCP\JSON::callCheck();
if( (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$oldPassword)))) { if( (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$oldPassword)))) {
OC_JSON::error( array( "data" => array( "message" => "Authentication error" ))); OC_JSON::error( array( "data" => array( "message" => "Authentication error" )));
exit(); exit();

2
settings/ajax/creategroup.php
Unescape Escape View File

@ -9,6 +9,8 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' ))
exit(); exit();
} }
OCP\JSON::callCheck();
$groupname = $_POST["groupname"]; $groupname = $_POST["groupname"];
// Does the group exist? // Does the group exist?

1
settings/ajax/createuser.php
Unescape Escape View File

@ -8,6 +8,7 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' ))
OC_JSON::error(array("data" => array( "message" => "Authentication error" ))); OC_JSON::error(array("data" => array( "message" => "Authentication error" )));
exit(); exit();
} }
OCP\JSON::callCheck();
$groups = array(); $groups = array();
if( isset( $_POST["groups"] )){ if( isset( $_POST["groups"] )){

1
settings/ajax/disableapp.php
Unescape Escape View File

@ -2,6 +2,7 @@
// Init owncloud // Init owncloud
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkAdminUser(); OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
OC_JSON::setContentTypeHeader(); OC_JSON::setContentTypeHeader();
OC_App::disable($_POST['appid']); OC_App::disable($_POST['appid']);

1
settings/ajax/enableapp.php
Unescape Escape View File

@ -3,6 +3,7 @@
// Init owncloud // Init owncloud
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkAdminUser(); OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
OC_JSON::setContentTypeHeader(); OC_JSON::setContentTypeHeader();
if(OC_App::enable($_POST['appid'])){ if(OC_App::enable($_POST['appid'])){

2
settings/ajax/lostpassword.php
Unescape Escape View File

@ -2,8 +2,8 @@
// Init owncloud // Init owncloud
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkLoggedIn(); OC_JSON::checkLoggedIn();
OCP\JSON::callCheck();
$l=OC_L10N::get('core'); $l=OC_L10N::get('core');

1
settings/ajax/openid.php
Unescape Escape View File

@ -6,6 +6,7 @@ require_once('../../lib/base.php');
$l=OC_L10N::get('settings'); $l=OC_L10N::get('settings');
OC_JSON::checkLoggedIn(); OC_JSON::checkLoggedIn();
OCP\JSON::callCheck();
OC_JSON::checkAppEnabled('user_openid'); OC_JSON::checkAppEnabled('user_openid');
// Get data // Get data

1
settings/ajax/removegroup.php
Unescape Escape View File

@ -4,6 +4,7 @@
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkAdminUser(); OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
$name = $_POST["groupname"]; $name = $_POST["groupname"];

1
settings/ajax/removeuser.php
Unescape Escape View File

@ -4,6 +4,7 @@
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkAdminUser(); OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
$username = $_POST["username"]; $username = $_POST["username"];

1
settings/ajax/setlanguage.php
Unescape Escape View File

@ -6,6 +6,7 @@ require_once('../../lib/base.php');
$l=OC_L10N::get('settings'); $l=OC_L10N::get('settings');
OC_JSON::checkLoggedIn(); OC_JSON::checkLoggedIn();
OCP\JSON::callCheck();
// Get data // Get data

1
settings/ajax/setloglevel.php
Unescape Escape View File

@ -7,6 +7,7 @@
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_Util::checkAdminUser(); OC_Util::checkAdminUser();
OCP\JSON::callCheck();
OC_Config::setValue( 'loglevel', $_POST['level'] ); OC_Config::setValue( 'loglevel', $_POST['level'] );

1
settings/ajax/setquota.php
Unescape Escape View File

@ -9,6 +9,7 @@
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkAdminUser(); OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
$username = isset($_POST["username"])?$_POST["username"]:''; $username = isset($_POST["username"])?$_POST["username"]:'';

1
settings/ajax/togglegroups.php
Unescape Escape View File

@ -4,6 +4,7 @@
require_once('../../lib/base.php'); require_once('../../lib/base.php');
OC_JSON::checkAdminUser(); OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
$success = true; $success = true;
$error = "add user to"; $error = "add user to";