From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001 From: Marius Cramer <m.cramer@pixcept.de> Date: Thu, 06 Aug 2015 03:18:44 -0400 Subject: [PATCH] - don't set password via remoting if field is empty --- interface/web/admin/remote_action_ispcupdate.php | 20 +++++++++++--------- 1 files changed, 11 insertions(+), 9 deletions(-) diff --git a/interface/web/admin/remote_action_ispcupdate.php b/interface/web/admin/remote_action_ispcupdate.php index 32bf0c4..f22661e 100644 --- a/interface/web/admin/remote_action_ispcupdate.php +++ b/interface/web/admin/remote_action_ispcupdate.php @@ -66,6 +66,10 @@ //* Note: Disabled post action if (1 == 0 && isset($_POST['server_select'])) { + + //* CSRF Check + $app->auth->csrf_token_check(); + $server = $_POST['server_select']; $servers = array(); if ($server == '*') { @@ -80,21 +84,19 @@ } foreach ($servers as $serverId) { $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - $app->functions->intval($serverId) . ", " . - time() . ", " . - "'ispc_update', " . - "'', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); + "VALUES (?, UNIX_TIMESTAMP(), 'ispc_update', '', 'pending', '')"; + $app->db->query($sql, $serverId); } $msg = $wb['action_scheduled']; } $app->tpl->setVar('msg', $msg); +//* SET csrf token +$csrf_token = $app->auth->csrf_token_get('ispupdate'); +$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); +$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); + $app->tpl->setVar($wb); $app->tpl_defaults(); -- Gitblit v1.9.1