- fixed csrf handling on server config edit

Marius Cramer · Marius Cramer · commit e5c68a106333 · 2015-06-05T09:55:06.000+02:00
diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
@@ -691,10 +691,6 @@ function encode($record, $tab, $dbencode = true) {
 				unset($_POST);
 				unset($record);
 			}
-			$_SESSION['_csrf'][$_csrf_id] = null;
-			$_SESSION['_csrf_timeout'][$_csrf_id] = null;
-			unset($_SESSION['_csrf'][$_csrf_id]);
-			unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 			
 			if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {
 				$to_unset = array();
diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php
@@ -92,11 +92,15 @@ function onUpdateSave($sql) {
 					}
 				}
 			}
-
-			$server_config_array[$section] = $app->tform->encode($this->dataRecord, $section);
-			$server_config_str = $app->ini_parser->get_ini_string($server_config_array);
-
-			$app->db->datalogUpdate('server', "config = '".$app->db->quote($server_config_str)."'", 'server_id', $server_id);
+			
+			if($app->tform->errorMessage == '') {
+				$server_config_array[$section] = $app->tform->encode($this->dataRecord, $section);
+				$server_config_str = $app->ini_parser->get_ini_string($server_config_array);
+
+				$app->db->datalogUpdate('server', "config = '".$app->db->quote($server_config_str)."'", 'server_id', $server_id);
+			} else {
+				$app->error('Security breach!');
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -92,11 +92,15 @@ function onUpdateSave($sql) {`
`92`	`92`	`}`
`93`	`93`	`}`
`94`	`94`	`}`
`95`		`-`
`96`		`- $server_config_array[$section] = $app->tform->encode($this->dataRecord, $section);`
`97`		`- $server_config_str = $app->ini_parser->get_ini_string($server_config_array);`
`98`		`-`
`99`		`- $app->db->datalogUpdate('server', "config = '".$app->db->quote($server_config_str)."'", 'server_id', $server_id);`
	`95`	`+`
	`96`	`+ if($app->tform->errorMessage == '') {`
	`97`	`+ $server_config_array[$section] = $app->tform->encode($this->dataRecord, $section);`
	`98`	`+ $server_config_str = $app->ini_parser->get_ini_string($server_config_array);`
	`99`	`+`
	`100`	`+ $app->db->datalogUpdate('server', "config = '".$app->db->quote($server_config_str)."'", 'server_id', $server_id);`
	`101`	`+ } else {`
	`102`	`+ $app->error('Security breach!');`
	`103`	`+ }`
`100`	`104`	`}`
`101`	`105`	`}`
`102`	`106`