mirrors/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2025-04-28 12:19:57 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixes #872, CVE-2018-7724, protect photo admin page from CSRF

Browse source
This commit is contained in:
plegall 2018-07-06 14:38:39 +02:00
parent 06f4252312
commit bef09018fb
2 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
admin/picture_modify.php
View file

@ -118,6 +118,8 @@ if (isset($_GET['sync_metadata']))
//--------------------------------------------------------- update informations //--------------------------------------------------------- update informations
if (isset($_POST['submit'])) if (isset($_POST['submit']))
{ {
check_pwg_token();
$data = array(); $data = array();
$data['id'] = $_GET['image_id']; $data['id'] = $_GET['image_id'];
$data['name'] = $_POST['name']; $data['name'] = $_POST['name'];
@ -445,6 +447,7 @@ $template->assign(array(
'represented_albums' => $represented_albums, 'represented_albums' => $represented_albums,
'STORAGE_ALBUM' => $storage_category_id, 'STORAGE_ALBUM' => $storage_category_id,
'CACHE_KEYS' => get_admin_client_cache_keys(array('tags', 'categories')), 'CACHE_KEYS' => get_admin_client_cache_keys(array('tags', 'categories')),
'PWG_TOKEN' => get_pwg_token(),
)); ));
trigger_notify('loc_end_picture_modify'); trigger_notify('loc_end_picture_modify');

1
admin/themes/default/template/picture_modify.tpl
View file

@ -151,6 +151,7 @@ jQuery("a.preview-box").colorbox({
</p> </p>
<p style="margin:40px 0 0 0"> <p style="margin:40px 0 0 0">
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
<input class="submit" type="submit" value="{'Save Settings'|@translate}" name="submit"> <input class="submit" type="submit" value="{'Save Settings'|@translate}" name="submit">
</p> </p>
</fieldset> </fieldset>