github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-07-07 13:31:53 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Proper way to fix CSRF in /schedule/backup/

Browse source
This commit is contained in:
myvesta 2021-08-29 00:54:57 +02:00
parent 0336e8b8d0
commit 11f1cfcf4e
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
web/schedule/backup/index.php
View file

@ -1,14 +1,18 @@
<?php <?php
// Preventing CSRF
prevent_post_csrf(true);
// Init // Init
error_reporting(NULL); error_reporting(NULL);
ob_start(); ob_start();
session_start(); session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
die($_SESSION['token']);
header('location: /login/');
exit();
}
$v_username = escapeshellarg($user); $v_username = escapeshellarg($user);
exec (VESTA_CMD."v-schedule-user-backup ".$v_username, $output, $return_var); exec (VESTA_CMD."v-schedule-user-backup ".$v_username, $output, $return_var);
if ($return_var == 0) { if ($return_var == 0) {

2
web/templates/admin/list_backup.html
View file

@ -1,6 +1,6 @@
<div class="l-center"> <div class="l-center">
<div class="l-sort clearfix noselect"> <div class="l-sort clearfix noselect">
<a href="/schedule/backup/" class="l-sort__create-btn" title="<?=__('Create Backup')?>"></a> <a href="/schedule/backup/?token=<?=$_SESSION['token']?>" class="l-sort__create-btn" title="<?=__('Create Backup')?>"></a>
<div class="l-sort-toolbar clearfix"> <div class="l-sort-toolbar clearfix">
<table> <table>
<tr> <tr>