From e95036b92a6f1d9f291999f03e5a70eca869270d Mon Sep 17 00:00:00 2001 From: plegall Date: Mon, 12 Feb 2024 16:51:53 +0100 Subject: [PATCH] fixes GHSA-p362-cfpj-q55f protect against CSRF on batch manager unit mode --- admin/batch_manager_unit.php | 2 ++ admin/include/functions.php | 2 +- admin/themes/default/template/batch_manager_unit.tpl | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/admin/batch_manager_unit.php b/admin/batch_manager_unit.php index 77552f3d3..352f8d2f0 100644 --- a/admin/batch_manager_unit.php +++ b/admin/batch_manager_unit.php @@ -32,6 +32,7 @@ trigger_notify('loc_begin_element_set_unit'); if (isset($_POST['submit'])) { + check_pwg_token(); check_input_parameter('element_ids', $_POST, false, '/^\d+(,\d+)*$/'); $collection = explode(',', $_POST['element_ids']); @@ -110,6 +111,7 @@ $template->assign( 'F_ACTION' => $base_url.get_query_string_diff(array()), 'level_options' => get_privacy_level_options(), 'ADMIN_PAGE_TITLE' => l10n('Batch Manager'), + 'PWG_TOKEN' => get_pwg_token(), ) ); diff --git a/admin/include/functions.php b/admin/include/functions.php index c0dc4c6c3..1657b24c6 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -2862,7 +2862,7 @@ function get_tag_ids($raw_tags, $allow_create=true) elseif ($allow_create) { // we have to create a new tag - $tag_ids[] = tag_id_from_tag_name($raw_tag); + $tag_ids[] = tag_id_from_tag_name(strip_tags($raw_tag)); } } diff --git a/admin/themes/default/template/batch_manager_unit.tpl b/admin/themes/default/template/batch_manager_unit.tpl index 7c1d7a90b..0edc7df86 100644 --- a/admin/themes/default/template/batch_manager_unit.tpl +++ b/admin/themes/default/template/batch_manager_unit.tpl @@ -114,6 +114,7 @@ jQuery("a.preview-box").colorbox( { {if !empty($navbar)}{include file='navigation_bar.tpl'|@get_extent:'navbar'}{/if}

+