From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'

---
 interface/web/admin/remote_action_ispcupdate.php |   39 +++++++++++++++++++++++----------------
 1 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/interface/web/admin/remote_action_ispcupdate.php b/interface/web/admin/remote_action_ispcupdate.php
index 3abcd71..f22661e 100644
--- a/interface/web/admin/remote_action_ispcupdate.php
+++ b/interface/web/admin/remote_action_ispcupdate.php
@@ -27,8 +27,10 @@
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
+//die('Function has been removed.');
+
+require_once '../../lib/config.inc.php';
+require_once '../../lib/app.inc.php';
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
@@ -43,11 +45,12 @@
 
 //* load language file
 $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_remote_action.lng';
-include($lng_file);
+include $lng_file;
 
 /*
  * We need a list of all Servers
  */
+
 $sysServers = $app->db->queryAllRecords("SELECT server_id, server_name FROM server order by server_name");
 $dropDown = "<option value='*'>" . $wb['select_all_server'] . "</option>";
 foreach ($sysServers as $server) {
@@ -60,7 +63,13 @@
 /*
  * If the user wants to do the action, write this to our db
 */
-if (isset($_POST['server_select'])) {
+
+//* Note: Disabled post action
+if (1 == 0 && isset($_POST['server_select'])) {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$server = $_POST['server_select'];
 	$servers = array();
 	if ($server == '*') {
@@ -74,21 +83,19 @@
 		$servers[] = $_POST['server_select'];
 	}
 	foreach ($servers as $serverId) {
-		$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_status, response) " .
-				"VALUES (".
-				(int)$serverId . ", " .
-				time() . ", " .
-				"'ispc_update', " .
-				"'', " .
-				"'pending', " .
-				"''" .
-				")";
-		$app->db->query($sql);
+		$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
+			"VALUES (?, UNIX_TIMESTAMP(), 'ispc_update', '', 'pending', '')";
+		$app->db->query($sql, $serverId);
 	}
 	$msg = $wb['action_scheduled'];
 }
 
-$app->tpl->setVar('msg',$msg);
+$app->tpl->setVar('msg', $msg);
+
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('ispupdate');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
 $app->tpl->setVar($wb);
 
@@ -96,4 +103,4 @@
 $app->tpl->pparse();
 
 
-?>
\ No newline at end of file
+?>

--
Gitblit v1.9.1