mirror of
https://github.com/wallabag/wallabag.git
synced 2024-12-23 08:06:33 +00:00
vérificatio CSRF et mise en page
This commit is contained in:
parent
358ab47957
commit
cf3180f6b8
9 changed files with 125 additions and 50 deletions
|
@ -65,6 +65,16 @@ footer {
|
||||||
cursor: pointer;
|
cursor: pointer;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
input[type=submit].delete {
|
||||||
|
background : url('../img/delete.png') no-repeat center center;
|
||||||
|
width : 16px;
|
||||||
|
height :16px;
|
||||||
|
border : none;
|
||||||
|
color : transparent;
|
||||||
|
cursor: pointer;
|
||||||
|
font-size : 0;
|
||||||
|
}
|
||||||
|
|
||||||
#main #content {
|
#main #content {
|
||||||
margin-top: 20px;
|
margin-top: 20px;
|
||||||
}
|
}
|
||||||
|
@ -77,13 +87,15 @@ footer {
|
||||||
min-height: 8em;
|
min-height: 8em;
|
||||||
-webkit-border-radius: 2px;
|
-webkit-border-radius: 2px;
|
||||||
border-radius: 2px;
|
border-radius: 2px;
|
||||||
-webkit-box-shadow: 0px 0px 2px -1px #000;
|
-webkit-box-shadow: 0px 0px 6px -1px #000;
|
||||||
box-shadow: 0px 0px 2px -1px #000;
|
box-shadow: 0px 0px 6px -1px #000;
|
||||||
width: 30%;
|
width: 30%;
|
||||||
margin: 10px;
|
margin: 10px;
|
||||||
float: left;
|
float: left;
|
||||||
}
|
}
|
||||||
|
#main .entrie h2 {
|
||||||
|
width: 95%;
|
||||||
|
}
|
||||||
#main .entrie h2 a {
|
#main .entrie h2 a {
|
||||||
text-decoration: none;
|
text-decoration: none;
|
||||||
}
|
}
|
||||||
|
@ -92,20 +104,38 @@ footer {
|
||||||
color: #F5BE00;
|
color: #F5BE00;
|
||||||
}
|
}
|
||||||
|
|
||||||
#main .entrie .tools {
|
.tools {
|
||||||
position:absolute;
|
position: absolute;
|
||||||
bottom: 0;
|
top: 20px;
|
||||||
width: 100%;
|
right: 20px;
|
||||||
|
width: 30px;
|
||||||
text-align: right;
|
text-align: right;
|
||||||
margin-left: -20px;
|
}
|
||||||
|
|
||||||
|
.tools ul {
|
||||||
|
padding: 0; margin: 0;
|
||||||
|
list-style-type: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
.tools ul li {
|
||||||
|
line-height: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.tools a.tool {
|
||||||
|
cursor: pointer;
|
||||||
}
|
}
|
||||||
|
|
||||||
#article .tools {
|
#article .tools {
|
||||||
|
position: relative;
|
||||||
display: inline;
|
display: inline;
|
||||||
|
top: 0px;
|
||||||
|
right: 0px;
|
||||||
|
width: 100%;
|
||||||
|
text-align: left;
|
||||||
}
|
}
|
||||||
|
|
||||||
#article .tools a.tool {
|
#article.tools ul li{
|
||||||
cursor: pointer;
|
display: inline;
|
||||||
}
|
}
|
||||||
|
|
||||||
#main .entrie .tools a.tool span, #article .tools a.tool span {
|
#main .entrie .tools a.tool span, #article .tools a.tool span {
|
||||||
|
|
|
@ -23,3 +23,11 @@ raintpl::$base_url = get_poche_url();
|
||||||
raintpl::configure('path_replace', false);
|
raintpl::configure('path_replace', false);
|
||||||
raintpl::configure('debug', false);
|
raintpl::configure('debug', false);
|
||||||
$tpl = new raintpl();
|
$tpl = new raintpl();
|
||||||
|
|
||||||
|
session_start();
|
||||||
|
|
||||||
|
if (!isset($_SESSION['token_poche'])) {
|
||||||
|
$token = md5(uniqid(rand(), TRUE));
|
||||||
|
$_SESSION['token_poche'] = $token;
|
||||||
|
$_SESSION['token_time_poche'] = time();
|
||||||
|
}
|
|
@ -125,7 +125,7 @@ function prepare_url($url)
|
||||||
/**
|
/**
|
||||||
* Appel d'une action (mark as fav, archive, delete)
|
* Appel d'une action (mark as fav, archive, delete)
|
||||||
*/
|
*/
|
||||||
function action_to_do($action, $id)
|
function action_to_do($action, $id, $url, $token)
|
||||||
{
|
{
|
||||||
global $db;
|
global $db;
|
||||||
|
|
||||||
|
@ -140,8 +140,11 @@ function action_to_do($action, $id)
|
||||||
$params_action = array($url, $parametres_url['title'], $parametres_url['content']);
|
$params_action = array($url, $parametres_url['title'], $parametres_url['content']);
|
||||||
break;
|
break;
|
||||||
case 'delete':
|
case 'delete':
|
||||||
$sql_action = "DELETE FROM entries WHERE id=?";
|
if (verif_token($token)) {
|
||||||
$params_action = array($id);
|
$sql_action = "DELETE FROM entries WHERE id=?";
|
||||||
|
$params_action = array($id);
|
||||||
|
}
|
||||||
|
else die('CSRF problem');
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
|
@ -225,3 +228,24 @@ function get_article($id)
|
||||||
|
|
||||||
return $entry;
|
return $entry;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Vérifie si le jeton passé en $_POST correspond à celui en session
|
||||||
|
*/
|
||||||
|
function verif_token($token)
|
||||||
|
{
|
||||||
|
if(isset($_SESSION['token_poche']) && isset($_SESSION['token_time_poche']) && isset($token))
|
||||||
|
{
|
||||||
|
if($_SESSION['token_poche'] == $token)
|
||||||
|
{
|
||||||
|
$old_timestamp = time() - (15*60);
|
||||||
|
if($_SESSION['token_time_poche'] >= $old_timestamp)
|
||||||
|
{
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
else return FALSE;
|
||||||
|
}
|
||||||
|
else return FALSE;
|
||||||
|
}
|
||||||
|
else return FALSE;
|
||||||
|
}
|
13
index.php
13
index.php
|
@ -10,12 +10,16 @@
|
||||||
|
|
||||||
include dirname(__FILE__).'/inc/config.php';
|
include dirname(__FILE__).'/inc/config.php';
|
||||||
|
|
||||||
$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
|
$action = (isset ($_REQUEST['action'])) ? htmlentities($_REQUEST['action']) : '';
|
||||||
$view = (isset ($_GET['view'])) ? htmlspecialchars($_GET['view']) : 'index';
|
$view = (isset ($_GET['view'])) ? htmlentities($_GET['view']) : 'index';
|
||||||
$id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
|
$id = (isset ($_REQUEST['id'])) ? htmlspecialchars($_REQUEST['id']) : '';
|
||||||
$url = (isset ($_GET['url'])) ? $_GET['url'] : '';
|
$url = (isset ($_GET['url'])) ? $_GET['url'] : '';
|
||||||
|
$token = (isset ($_POST['token'])) ? $_POST['token'] : '';
|
||||||
|
|
||||||
|
if ($action != '') {
|
||||||
|
action_to_do($action, $id, $url, $token);
|
||||||
|
}
|
||||||
|
|
||||||
action_to_do($action, $id);
|
|
||||||
$entries = display_view($view);
|
$entries = display_view($view);
|
||||||
|
|
||||||
$tpl->assign('title', 'poche, a read it later open source system');
|
$tpl->assign('title', 'poche, a read it later open source system');
|
||||||
|
@ -23,4 +27,5 @@ $tpl->assign('view', $view);
|
||||||
$tpl->assign('poche_url', get_poche_url());
|
$tpl->assign('poche_url', get_poche_url());
|
||||||
$tpl->assign('entries', $entries);
|
$tpl->assign('entries', $entries);
|
||||||
$tpl->assign('load_all_js', 1);
|
$tpl->assign('load_all_js', 1);
|
||||||
|
$tpl->assign('token', $_SESSION['token_poche']);
|
||||||
$tpl->draw('home');
|
$tpl->draw('home');
|
|
@ -1,16 +1,16 @@
|
||||||
function toggle_favorite(element, id) {
|
function toggle_favorite(element, id, token) {
|
||||||
$(element).toggleClass('fav-off');
|
$(element).toggleClass('fav-off');
|
||||||
$.ajax ({
|
$.ajax ({
|
||||||
url: "process.php?action=toggle_fav",
|
url: "process.php?action=toggle_fav",
|
||||||
data:{id:id}
|
data:{id:id, token:token}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
function toggle_archive(element, id, view_article) {
|
function toggle_archive(element, id, token, view_article) {
|
||||||
$(element).toggleClass('archive-off');
|
$(element).toggleClass('archive-off');
|
||||||
$.ajax ({
|
$.ajax ({
|
||||||
url: "process.php?action=toggle_archive",
|
url: "process.php?action=toggle_archive",
|
||||||
data:{id:id}
|
data:{id:id, token:token}
|
||||||
});
|
});
|
||||||
var obj = $('#entry-'+id);
|
var obj = $('#entry-'+id);
|
||||||
|
|
||||||
|
|
45
process.php
45
process.php
|
@ -11,27 +11,30 @@
|
||||||
include dirname(__FILE__).'/inc/config.php';
|
include dirname(__FILE__).'/inc/config.php';
|
||||||
$db = new db(DB_PATH);
|
$db = new db(DB_PATH);
|
||||||
|
|
||||||
$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
|
$action = (isset ($_GET['action'])) ? htmlentities($_GET['action']) : '';
|
||||||
$id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
|
$id = (isset ($_GET['id'])) ? htmlentities($_GET['id']) : '';
|
||||||
|
$token = (isset ($_GET['token'])) ? $_GET['token'] : '';
|
||||||
|
|
||||||
switch ($action)
|
if (verif_token($token)) {
|
||||||
{
|
switch ($action)
|
||||||
case 'toggle_fav' :
|
{
|
||||||
$sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
|
case 'toggle_fav' :
|
||||||
$params_action = array($id);
|
$sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
|
||||||
break;
|
$params_action = array($id);
|
||||||
case 'toggle_archive' :
|
break;
|
||||||
$sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?";
|
case 'toggle_archive' :
|
||||||
$params_action = array($id);
|
$sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?";
|
||||||
break;
|
$params_action = array($id);
|
||||||
default:
|
break;
|
||||||
break;
|
default:
|
||||||
}
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
# action query
|
# action query
|
||||||
if (isset($sql_action))
|
if (isset($sql_action))
|
||||||
{
|
{
|
||||||
$query = $db->getHandle()->prepare($sql_action);
|
$query = $db->getHandle()->prepare($sql_action);
|
||||||
$query->execute($params_action);
|
$query->execute($params_action);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
?>
|
else die('CSRF problem');
|
|
@ -8,7 +8,7 @@
|
||||||
<li><a href="index.php" {if="$view == 'index'"}class="current"{/if}>home</a></li>
|
<li><a href="index.php" {if="$view == 'index'"}class="current"{/if}>home</a></li>
|
||||||
<li><a href="?view=fav" {if="$view == 'fav'"}class="current"{/if}>favorites</a></li>
|
<li><a href="?view=fav" {if="$view == 'fav'"}class="current"{/if}>favorites</a></li>
|
||||||
<li><a href="?view=archive" {if="$view == 'archive'"}class="current"{/if}>archive</a></li>
|
<li><a href="?view=archive" {if="$view == 'archive'"}class="current"{/if}>archive</a></li>
|
||||||
<li><a style="cursor: move" title="i am a bookmarklet, use me !" href="javascript:(function(){var%20url%20=%20location.href;var%20title%20=%20document.title%20||%20url;window.open('{$poche_url}?action=add&url='%20+%20encodeURIComponent(url),'_self');})();">poche it !</a></li>
|
<li><a style="cursor: move" title="i am a bookmarklet, use me !" href="javascript:(function(){var%20url%20=%20location.href%20||%20url;window.open('{$poche_url}?action=add&url='%20+%20encodeURIComponent(url),'_self');})();">poche it !</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
<div id="content">
|
<div id="content">
|
||||||
{loop="entries"}
|
{loop="entries"}
|
||||||
|
@ -18,9 +18,11 @@
|
||||||
<a href="view.php?id={$value.id}">{$value.title}</a>
|
<a href="view.php?id={$value.id}">{$value.title}</a>
|
||||||
</h2>
|
</h2>
|
||||||
<div class="tools">
|
<div class="tools">
|
||||||
<a title="toggle mark as read" class="tool archive {if="$value.is_read == '0'"}archive-off{/if}" onclick="toggle_archive(this, {$value.id})"><span></span></a>
|
<ul>
|
||||||
<a title="toggle favorite" class="tool fav {if="$value.is_fav == '0'"}fav-off{/if}" onclick="toggle_favorite(this, {$value.id})"><span></span></a>
|
<li><a title="toggle mark as read" class="tool archive {if="$value.is_read == '0'"}archive-off{/if}" onclick="toggle_archive(this, {$value.id}, '{$token}')"><span></span></a></li>
|
||||||
<a href="?action=delete&id={$value.id}" title="toggle delete" onclick="return confirm('Are you sure?')" class="tool delete"><span></span></a>
|
<li><a title="toggle favorite" class="tool fav {if="$value.is_fav == '0'"}fav-off{/if}" onclick="toggle_favorite(this, {$value.id}, '{$token}')"><span></span></a></li>
|
||||||
|
<li><form method="post" onsubmit="return confirm('Are you sure?')" style="display: inline;"><input type="hidden" name="token" id="token" value="{$token}" /><input type="hidden" id="action" name="action" value="delete" /><input type="hidden" id="id" name="id" value="{$value.id}" /><input type="submit" class="delete" title="toggle delete" /></form></li>
|
||||||
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
</span>
|
</span>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -5,9 +5,11 @@
|
||||||
<a href="index.php" title="back to home">←</a>
|
<a href="index.php" title="back to home">←</a>
|
||||||
</div>
|
</div>
|
||||||
<div class="tools">
|
<div class="tools">
|
||||||
<a title="toggle mark as read" class="tool archive {if="$is_read == 0"}archive-off{/if}" onclick="toggle_archive(this, {$id}, 1)"><span></span></a>
|
<ul>
|
||||||
<a title="toggle favorite" class="tool fav {if="$is_fav == 0"}fav-off{/if}" onclick="toggle_favorite(this, {$id})"><span></span></a>
|
<li><a title="toggle mark as read" class="tool archive {if="$is_read == '0'"}archive-off{/if}" onclick="toggle_archive(this, {$id}, '{$token}')"><span></span></a></li>
|
||||||
<a href="index.php?action=delete&id={$id}" title="toggle delete" onclick="return confirm('Are you sure?')" class="tool delete"><span></span></a>
|
<li><a title="toggle favorite" class="tool fav {if="$is_fav == '0'"}fav-off{/if}" onclick="toggle_favorite(this, {$id}, '{$token}')"><span></span></a></li>
|
||||||
|
<li><form method="post" onsubmit="return confirm('Are you sure?')" style="display: inline;"><input type="hidden" name="token" id="token" value="{$token}" /><input type="hidden" id="action" name="action" value="delete" /><input type="hidden" id="id" name="id" value="{$id}" /><input type="submit" class="delete" title="toggle delete" /></form></li>
|
||||||
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
<header class="mbm">
|
<header class="mbm">
|
||||||
<h1><a href="{$url}">{$title}</a></h1>
|
<h1><a href="{$url}">{$title}</a></h1>
|
||||||
|
|
1
view.php
1
view.php
|
@ -24,6 +24,7 @@ if(!empty($id)) {
|
||||||
$tpl->assign('is_fav', $entry[0]['is_fav']);
|
$tpl->assign('is_fav', $entry[0]['is_fav']);
|
||||||
$tpl->assign('is_read', $entry[0]['is_read']);
|
$tpl->assign('is_read', $entry[0]['is_read']);
|
||||||
$tpl->assign('load_all_js', 0);
|
$tpl->assign('load_all_js', 0);
|
||||||
|
$tpl->assign('token', $_SESSION['token_poche']);
|
||||||
$tpl->draw('view');
|
$tpl->draw('view');
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|
Loading…
Reference in a new issue