rooty/OwncloudContactsOfficial
1
0
Fork 0
mirror of https://github.com/owncloudarchive/contacts.git synced 2025-02-12 06:54:28 +01:00
Code Issues Releases Activity

Contacts: implemented CSRF prevention.

Browse Source
This commit is contained in:
Thomas Tanghus 2012-06-13 17:35:42 +02:00
parent f3e19ca230
commit aa73a32b89
14 changed files with 52 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ajax/activation.php
View File

@ -10,6 +10,7 @@
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
$bookid = $_POST['bookid']; $bookid = $_POST['bookid'];
$book = OC_Contacts_App::getAddressbook($bookid);// is owner access check $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check

1
ajax/addcontact.php
View File

@ -23,6 +23,7 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
$aid = isset($_POST['aid'])?$_POST['aid']:null; $aid = isset($_POST['aid'])?$_POST['aid']:null;
if(!$aid) { if(!$aid) {

10
ajax/addproperty.php
View File

@ -23,6 +23,16 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
foreach($_SERVER as $key=>$value) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
}
foreach($_POST as $key=>$value) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
}
foreach($_GET as $key=>$value) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
}
OCP\JSON::callCheck();
function bailOut($msg) { function bailOut($msg) {
OCP\JSON::error(array('data' => array('message' => $msg))); OCP\JSON::error(array('data' => array('message' => $msg)));

1
ajax/createaddressbook.php
View File

@ -11,6 +11,7 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
$userid = OCP\USER::getUser(); $userid = OCP\USER::getUser();
$name = trim(strip_tags($_POST['name'])); $name = trim(strip_tags($_POST['name']));

2
ajax/cropphoto.php
View File

@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
$tmpkey = $_GET['tmpkey']; $tmpkey = $_GET['tmpkey'];
$requesttoken = $_GET['requesttoken'];
$id = $_GET['id']; $id = $_GET['id'];
$tmpl = new OCP\Template("contacts", "part.cropphoto"); $tmpl = new OCP\Template("contacts", "part.cropphoto");
$tmpl->assign('tmpkey', $tmpkey); $tmpl->assign('tmpkey', $tmpkey);
$tmpl->assign('id', $id); $tmpl->assign('id', $id);
$tmpl->assign('requesttoken', $requesttoken);
$page = $tmpl->fetchPage(); $page = $tmpl->fetchPage();
OCP\JSON::success(array('data' => array( 'page' => $page ))); OCP\JSON::success(array('data' => array( 'page' => $page )));

1
ajax/deletebook.php
View File

@ -23,6 +23,7 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
//$id = $_GET['id']; //$id = $_GET['id'];
$id = $_POST['id']; $id = $_POST['id'];

11
ajax/deletecard.php
View File

@ -28,6 +28,17 @@ function bailOut($msg) {
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
// foreach($_SERVER as $key=>$value) {
// OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG);
// }
foreach($_POST as $key=>$value) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
}
foreach($_GET as $key=>$value) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
}
$id = isset($_POST['id'])?$_POST['id']:null; $id = isset($_POST['id'])?$_POST['id']:null;
if(!$id) { if(!$id) {

1
ajax/deleteproperty.php
View File

@ -23,6 +23,7 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
$id = $_POST['id']; $id = $_POST['id'];
$checksum = $_POST['checksum']; $checksum = $_POST['checksum'];

1
ajax/savecrop.php
View File

@ -22,6 +22,7 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
// Firefox and Konqueror tries to download application/json for me. --Arthur // Firefox and Konqueror tries to download application/json for me. --Arthur
OCP\JSON::setContentTypeHeader('text/plain'); OCP\JSON::setContentTypeHeader('text/plain');

19
ajax/saveproperty.php
View File

@ -20,10 +20,6 @@
* *
*/ */
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
function bailOut($msg) { function bailOut($msg) {
OCP\JSON::error(array('data' => array('message' => $msg))); OCP\JSON::error(array('data' => array('message' => $msg)));
OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG); OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
@ -33,6 +29,21 @@ function debug($msg) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG); OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
} }
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
foreach($_SERVER as $key=>$value) {
debug('_SERVER: '.$key.'=>'.print_r($value, true));
}
foreach($_POST as $key=>$value) {
debug('_POST: '.$key.'=>'.print_r($value, true));
}
foreach($_GET as $key=>$value) {
debug('_GET: '.$key.'=>'.print_r($value, true));
}
OCP\JSON::callCheck();
$id = isset($_POST['id'])?$_POST['id']:null; $id = isset($_POST['id'])?$_POST['id']:null;
$name = isset($_POST['name'])?$_POST['name']:null; $name = isset($_POST['name'])?$_POST['name']:null;
$value = isset($_POST['value'])?$_POST['value']:null; $value = isset($_POST['value'])?$_POST['value']:null;

2
ajax/uploadphoto.php
View File

@ -23,6 +23,8 @@
// Check if we are a user // Check if we are a user
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts'); OCP\JSON::checkAppEnabled('contacts');
OCP\JSON::callCheck();
// Firefox and Konqueror tries to download application/json for me. --Arthur // Firefox and Konqueror tries to download application/json for me. --Arthur
OCP\JSON::setContentTypeHeader('text/plain'); OCP\JSON::setContentTypeHeader('text/plain');
function bailOut($msg) { function bailOut($msg) {

4
js/contacts.js
View File

@ -622,7 +622,7 @@ Contacts={
q = q + '&id=' + this.id + '&name=' + name; q = q + '&id=' + this.id + '&name=' + name;
if(checksum != undefined && checksum != '') { // save if(checksum != undefined && checksum != '') { // save
q = q + '&checksum=' + checksum; q = q + '&checksum=' + checksum;
//console.log('Saving: ' + q); console.log('Saving: ' + q);
$(obj).attr('disabled', 'disabled'); $(obj).attr('disabled', 'disabled');
$.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){ $.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){
if(jsondata.status == 'success'){ if(jsondata.status == 'success'){
@ -640,7 +640,7 @@ Contacts={
} }
},'json'); },'json');
} else { // add } else { // add
//console.log('Adding: ' + q); console.log('Adding: ' + q);
$(obj).attr('disabled', 'disabled'); $(obj).attr('disabled', 'disabled');
$.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){ $.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){
if(jsondata.status == 'success'){ if(jsondata.status == 'success'){

2
templates/part.contact.php
View File

@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : '';
?> ?>
<div id="card"> <div id="card">
<form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target"> <form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target">
<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
<input type="hidden" name="id" value="<?php echo $_['id'] ?>"> <input type="hidden" name="id" value="<?php echo $_['id'] ?>">
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload"> <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)"> <input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : '';
<div id="contact_identity" class="contactsection"> <div id="contact_identity" class="contactsection">
<form method="post"> <form method="post">
<input type="hidden" name="id" value="<?php echo $_['id'] ?>"> <input type="hidden" name="id" value="<?php echo $_['id'] ?>">
<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
<fieldset id="ident" class="contactpart"> <fieldset id="ident" class="contactpart">
<span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span> <span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span>
<span id="name" class="propertycontainer" data-element="FN"> <span id="name" class="propertycontainer" data-element="FN">

2
templates/part.cropphoto.php
View File

@ -1,6 +1,7 @@
<?php <?php
$id = $_['id']; $id = $_['id'];
$tmpkey = $_['tmpkey']; $tmpkey = $_['tmpkey'];
$csrf_token = $_GET['csrf_token'];
OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG); OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG);
?> ?>
<script language="Javascript"> <script language="Javascript">
@ -48,6 +49,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey,
action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>"> action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>">
<input type="hidden" id="id" name="id" value="<?php echo $id; ?>" /> <input type="hidden" id="id" name="id" value="<?php echo $id; ?>" />
<input type="hidden" name="requesttoken" value="<?php echo $csrf_token; ?>">
<input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" /> <input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" />
<fieldset id="coords"> <fieldset id="coords">
<input type="hidden" id="x1" name="x1" value="" /> <input type="hidden" id="x1" name="x1" value="" />