RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

switched account edit csrf token to 1 min now that saving works on an incorrect entry

Browse Source
This commit is contained in:
xisi 2014-01-18 17:12:41 -05:00
parent 36f3a16cc3
commit 5e5e751271
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
public/include/pages/account/edit.inc.php
View File

@ -16,7 +16,7 @@ $updating = (@$_POST['do']) ? 1 : 0;
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
} }
if ($user->isAuthenticated()) { if ($user->isAuthenticated()) {
@ -199,7 +199,7 @@ $smarty->assign("CHANGEPASSSENT", $cp_sent);
$smarty->assign("WITHDRAWSENT", $wf_sent); $smarty->assign("WITHDRAWSENT", $wf_sent);
$smarty->assign("DETAILSSENT", $ea_sent); $smarty->assign("DETAILSSENT", $ea_sent);
if ($csrfenabled) { if ($csrfenabled) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
// Tempalte specifics // Tempalte specifics

4
public/include/pages/password/change.inc.php
View File

@ -8,7 +8,7 @@ if (!defined('SECURITY'))
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
// we have to use editaccount token because this can be called from 2 separate places // we have to use editaccount token because this can be called from 2 separate places
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
} }
if (!$csrfenabled || $csrfenabled && $nocsrf) { if (!$csrfenabled || $csrfenabled && $nocsrf) {
@ -26,7 +26,7 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }