fixes #1011 add user input checks (and pwg_token) to avoid SQL injection (and CSRF)

admin/group_perm.php

@@ -18,19 +18,26 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST))
+{
+  check_pwg_token();
+  check_input_parameter('cat_true', $_POST, true, PATTERN_ID);
+  check_input_parameter('cat_false', $_POST, true, PATTERN_ID);
+}
+
 // +-----------------------------------------------------------------------+
 // |                            variables init                             |
 // +-----------------------------------------------------------------------+
 
-if (isset($_GET['group_id']) and is_numeric($_GET['group_id']))
+if (!isset($_GET['group_id']))
 {
-  $page['group'] = $_GET['group_id'];
+  fatal_error('group_id URL parameter is missing');
-}
-else
-{
-  die('group_id URL parameter is missing');
 }
 
+check_input_parameter('group_id', $_GET, false, PATTERN_ID);
+
+$page['group'] = $_GET['group_id'];
+
 // +-----------------------------------------------------------------------+
 // |                                updates                                |
 // +-----------------------------------------------------------------------+
@@ -157,6 +164,8 @@ $query_false.= '
 ;';
 display_select_cat_wrapper($query_false,array(),'category_option_false');
 
+$template->assign('PWG_TOKEN', get_pwg_token());
+
 // +-----------------------------------------------------------------------+
 // |                           html code display                           |
 // +-----------------------------------------------------------------------+

admin/themes/default/template/group_perm.tpl

@@ -3,6 +3,7 @@
 
 <form method="post" action="{$F_ACTION}">
   {$DOUBLE_SELECT}
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
 </form>
 
 <p>{'Only private albums are listed'|@translate}</p>

admin/themes/default/template/user_perm.tpl

@@ -18,5 +18,6 @@
 
   <form method="post" action="{$F_ACTION}">
     {$DOUBLE_SELECT}
+    <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
   </form>
 </fieldset>

admin/user_perm.php

@@ -18,6 +18,13 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST))
+{
+  check_pwg_token();
+  check_input_parameter('cat_true', $_POST, true, PATTERN_ID);
+  check_input_parameter('cat_false', $_POST, true, PATTERN_ID);
+}
+
 // +-----------------------------------------------------------------------+
 // |                            variables init                             |
 // +-----------------------------------------------------------------------+
@@ -158,6 +165,8 @@ $query_false.= '
 ;';
 display_select_cat_wrapper($query_false,array(),'category_option_false');
 
+$template->assign('PWG_TOKEN', get_pwg_token());
+
 // +-----------------------------------------------------------------------+
 // |                           sending html code                           |
 // +-----------------------------------------------------------------------+