Mirrors/sysPass
2
0
Fork 0
mirror of https://github.com/nuxsmin/sysPass.git synced 2026-03-10 10:26:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix session key generation errors on forms and ajax requests

Browse Source
This commit is contained in:
nuxsmin
2013-10-23 20:08:41 +02:00
parent cc8796a53e
commit ff43d0a97c
7 changed files with 20 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ajax/ajax_categorymgmt.php
View File

@@ -32,6 +32,10 @@ if ( ! SP_Init::isLoggedIn() ) {
SP_Common::printXML(_('La sesión no se ha iniciado o ha caducado'),10);
}
if (!isset($_POST["sk"]) || !SP_Common::checkSessionKey($_POST["sk"])) {
SP_Common::printXML(_('CONSULTA INVÁLIDA'));
}
SP_Users::checkUserAccess('config') || SP_Html::showCommonError('unavailable');
$intCategoryFunction = ( isset($_POST["categoryFunction"]) ) ? (int) $_POST["categoryFunction"] : 0;

8
ajax/ajax_getFiles.php
View File

@@ -41,11 +41,16 @@ if ( SP_Config::getValue('filesenabled') == 0 ){
$accountId = ( isset($_GET['id']) ) ? (int)$_GET['id'] : 0 ;
$deleteEnabled = ( isset($_GET['del']) ) ? (int)$_GET['del'] : 0 ;
$skey = ( isset($_GET['sk']) ) ? SP_Html::sanitize($_GET['sk']) : NULL;
if ( is_null($skey) ) {
return _('CONSULTA INVÁLIDA');
}
$files = SP_Files::getFileList($accountId, $deleteEnabled);
if ( ! is_array($files) || count($files) === 0 ){
return;
return;
}
?>
@@ -55,7 +60,6 @@ if ( ! is_array($files) || count($files) === 0 ){
<option value='<? echo $file['id']; ?>'><? echo $file['name'] ?> (<? echo $file['size']; ?> KB)</option>
<? endforeach;?>
</select>
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey(TRUE); ?>">
<input name="action" type="hidden" id="action" value="download">
</form>
<div class="actionFiles">

4
inc/tpl/accounts.php
View File

@@ -135,7 +135,7 @@ $showEditPass = ($action == "accedit"
&& ! $account->accountIsHistory);
$showDelete = ($action == "accdelete" && $account->checkAccountAccess("accdelete") && SP_Users::checkUserAccess("accdelete"));
$filesDelete = ( $action == 'accedit' ) ? 1 : 0;
$skey = SP_Common::getSessionKey();
$skey = SP_Common::getSessionKey(TRUE);
?>
<div id="title" class="midroundup <? echo $title['class']; ?>"><? echo $title['name']; ?></div>
@@ -405,7 +405,7 @@ $skey = SP_Common::getSessionKey();
<? if ( $showDelete ): ?>
<li>
<img src="imgs/delete.png" title="<? echo _('Eliminar Cuenta'); ?>" class="inputImg" OnClick="delAccount(<? echo $account->accountId; ?>,3,'<? echo SP_Common::getSessionKey(TRUE); ?>');" />
<img src="imgs/delete.png" title="<? echo _('Eliminar Cuenta'); ?>" class="inputImg" OnClick="delAccount(<? echo $account->accountId; ?>,3,'<? echo $skey; ?>');" />
</li>
<? endif; ?>
</ul>

9
inc/tpl/categories.php
View File

@@ -50,6 +50,7 @@ $categoriesSelProp2 = array ( "name" => "categoryId",
"js" => "",
"attribs" => "");
$skey = SP_Common::getSessionKey(TRUE);
?>
<table class="data tblConfig round">
@@ -63,7 +64,7 @@ $categoriesSelProp2 = array ( "name" => "categoryId",
<input type="image" src="imgs/add.png" title="<? echo _('Nueva categoría'); ?>" class="inputImg" id="btnAdd" />
<input type="hidden" name="active" value="<? echo $activeTab ?>" />
<input type="hidden" name="categoryFunction" value="1">
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey(TRUE); ?>">
<input type="hidden" name="sk" value="<? echo $skey; ?>">
</form>
</td>
</tr>
@@ -79,7 +80,7 @@ $categoriesSelProp2 = array ( "name" => "categoryId",
<input type="hidden" name="active" value="<? echo $activeTab ?>" />
<input type="text" name="categoryNameNew" maxlength="50" >
<input type="hidden" name="categoryFunction" value="2">
<input type="hidden" name="sk" value="'.SP_Common::getSessionKey(TRUE).'">
<input type="hidden" name="sk" value="<? echo $skey; ?>">
<input type="image" src="imgs/save.png" title="<? echo _('Guardar'); ?>" class="inputImg" id="btnGuardar" />
</form>
</td>
@@ -93,7 +94,7 @@ $categoriesSelProp2 = array ( "name" => "categoryId",
<? SP_Html::printSelect(SP_Category::getCategories(), $categoriesSelProp2); ?>
<input type="hidden" name="active" value="<? echo $activeTab ?>" />
<input type="hidden" name="categoryFunction" value="3">
<input type="hidden" name="sk" value="'.SP_Common::getSessionKey(TRUE).'">
<input type="hidden" name="sk" value="<? echo $skey; ?>">
<input type="image" src="imgs/delete.png" title="<? echo _('Borrar categoría'); ?>" class="inputImg" />
</form>
</td>
@@ -109,4 +110,4 @@ $categoriesSelProp2 = array ( "name" => "categoryId",
placeholder_text_single: "<? echo _('Seleccionar Categoría'); ?>",
disable_search_threshold: 10,
no_results_text: "<? echo _('Sin resultados'); ?>"});
</script>
</script>

2
inc/tpl/groups.php
View File

@@ -53,7 +53,7 @@ $activeTab = $data['active'];
<input type="hidden" name="id" value="<? echo $group["usergroup_id"]; ?>" />
<input type="hidden" name="action" value="<? echo $group["action"] ?>" />
<input type="hidden" name="type" value="<?php echo $data['itemtype']; ?>" />
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey() ?>">
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey(TRUE) ?>">
<input type="hidden" name="is_ajax" value="1">
</form>
<div id="resCheck"><span id="resFancyAccion"></span></div>

2
inc/tpl/profiles.php
View File

@@ -113,7 +113,7 @@ $activeTab = $data['active'];
<input type="hidden" name="id" value="<? echo $profile['userprofile_id']; ?>" />
<input type="hidden" name="action" value="<? echo $profile["action"] ?>" />
<input type="hidden" name="type" value="<?php echo $data['itemtype']; ?>" />
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey() ?>">
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey(TRUE) ?>">
<input type="hidden" name="is_ajax" value="1">
<script>
$(function() {

2
inc/tpl/users.php
View File

@@ -147,7 +147,7 @@ $ro = ( $user['checks']['user_isLdap'] ) ? "READONLY" : "";
<input type="hidden" name="id" value="<? echo $user['user_id']; ?>" />
<input type="hidden" name="action" value="<? echo $user['action']; ?>" />
<input type="hidden" name="type" value="<?php echo $data['itemtype']; ?>" />
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey() ?>">
<input type="hidden" name="sk" value="<? echo SP_Common::getSessionKey(TRUE) ?>">
<input type="hidden" name="is_ajax" value="1">
</form>
<div id="resCheck"><span id="resFancyAccion"></span></div>