mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-04-04 14:43:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

Do not mix POST and GET params

Browse Source 
Avoid returning CSRF POST token for a GET
This commit is contained in:
Alexandre Alapetite
2016-08-13 19:10:32 +02:00
parent e6fd34bdda
commit 56ffc115d1
6 changed files with 23 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/Controllers/configureController.php
View File

@@ -139,7 +139,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
*/
public function sharingAction() {
if (Minz_Request::isPost()) {
$params = Minz_Request::params();
$params = Minz_Request::fetchGET();
FreshRSS_Context::$user_conf->sharing = $params['share'];
FreshRSS_Context::$user_conf->save();
invalidateHttpCache();
@@ -282,7 +282,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
foreach (FreshRSS_Context::$user_conf->queries as $key => $query) {
$queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao);
}
$params = Minz_Request::params();
$params = Minz_Request::fetchGET();
$params['url'] = Minz_Url::display(array('params' => $params));
$params['name'] = _t('conf.query.number', count($queries) + 1);
$queries[] = new FreshRSS_UserQuery($params, $feed_dao, $category_dao);

2
app/Models/Auth.php
View File

@@ -173,7 +173,7 @@ class FreshRSS_Auth {
return true; //Not logged in yet
}
if ($token === null) {
$token = Minz_Request::param('_csrf');
$token = Minz_Request::fetchPOST('_csrf');
}
return $token === $csrf;
}

19
app/views/entry/bookmark.phtml
View File

@@ -1,17 +1,16 @@
<?php
header('Content-Type: application/json; charset=UTF-8');
if (Minz_Request::param('is_favorite', true)) {
Minz_Request::_param('is_favorite', 0);
} else {
Minz_Request::_param('is_favorite', 1);
}
$url = Minz_Url::display(array(
$url = array(
'c' => Minz_Request::controllerName(),
'a' => Minz_Request::actionName(),
'params' => Minz_Request::params(),
));
'params' => Minz_Request::fetchGET(),
);
$url['params']['is_favorite'] = Minz_Request::param('is_favorite', true) ? '0' : '1';
FreshRSS::loadStylesAndScripts();
echo json_encode(array('url' => str_ireplace('&amp;', '&', $url), 'icon' => _i(Minz_Request::param('is_favorite') ? 'non-starred' : 'starred')));
echo json_encode(array(
'url' => str_ireplace('&amp;', '&', Minz_Url::display($url)),
'icon' => _i($url['params']['is_favorite'] === '1' ? 'non-starred' : 'starred')
));

19
app/views/entry/read.phtml
View File

@@ -1,17 +1,16 @@
<?php
header('Content-Type: application/json; charset=UTF-8');
if (Minz_Request::param('is_read', true)) {
Minz_Request::_param('is_read', 0);
} else {
Minz_Request::_param('is_read', 1);
}
$url = Minz_Url::display(array(
$url = array(
'c' => Minz_Request::controllerName(),
'a' => Minz_Request::actionName(),
'params' => Minz_Request::params(),
));
'params' => Minz_Request::fetchGET(),
);
$url['params']['is_read'] = Minz_Request::param('is_read', true) ? '0' : '1';
FreshRSS::loadStylesAndScripts();
echo json_encode(array('url' => str_ireplace('&amp;', '&', $url), 'icon' => _i(Minz_Request::param('is_read') ? 'unread' : 'read')));
echo json_encode(array(
'url' => str_ireplace('&amp;', '&', Minz_Url::display($url)),
'icon' => _i($url['params']['is_read'] === '1' ? 'unread' : 'read')
));

2
app/views/helpers/logs_pagination.phtml
View File

@@ -1,7 +1,7 @@
<?php
$c = Minz_Request::controllerName();
$a = Minz_Request::actionName();
$params = Minz_Request::params();
$params = Minz_Request::fetchGET();
?>
<?php if ($this->nbPage > 1) { ?>

2
app/views/index/global.phtml
View File

@@ -14,7 +14,7 @@
$url_base = array(
'c' => 'index',
'a' => 'normal',
'params' => Minz_Request::params()
'params' => Minz_Request::fetchGET(),
);
foreach ($this->categories as $cat) {