diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2012-07-20 20:12:36 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2012-07-20 20:12:36 +0200 |
commit | 38271ded753bc9ea9943cef3c2706f8d71f3a58f (patch) | |
tree | 4a2bb2cd3ffe196721c448ef891d692171a925df /apps | |
parent | e52ab59b404d6d35ed8619da35b1f70404359212 (diff) | |
download | nextcloud-server-38271ded753bc9ea9943cef3c2706f8d71f3a58f.tar.gz nextcloud-server-38271ded753bc9ea9943cef3c2706f8d71f3a58f.zip |
Added CSRF checks
Diffstat (limited to 'apps')
37 files changed, 44 insertions, 3 deletions
diff --git a/apps/bookmarks/ajax/addBookmark.php b/apps/bookmarks/ajax/addBookmark.php index a2eb506f85e..b4d0f33d721 100644 --- a/apps/bookmarks/ajax/addBookmark.php +++ b/apps/bookmarks/ajax/addBookmark.php @@ -29,6 +29,7 @@ $RUNTIME_NOSETUPFS=true; // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('bookmarks'); +OCP\JSON::callCheck(); require_once(OC::$APPSROOT . '/apps/bookmarks/bookmarksHelper.php'); $id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']); diff --git a/apps/bookmarks/ajax/delBookmark.php b/apps/bookmarks/ajax/delBookmark.php index 5a067701c9f..140da2a37d1 100644 --- a/apps/bookmarks/ajax/delBookmark.php +++ b/apps/bookmarks/ajax/delBookmark.php @@ -29,6 +29,7 @@ $RUNTIME_NOSETUPFS=true; // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('bookmarks'); +OCP\JSON::callCheck(); $id = $_POST['id']; if (!OC_Bookmarks_Bookmarks::deleteUrl($id)){ diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php index 439b680dc20..36258f70961 100644 --- a/apps/bookmarks/ajax/editBookmark.php +++ b/apps/bookmarks/ajax/editBookmark.php @@ -29,6 +29,7 @@ $RUNTIME_NOSETUPFS=true; // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('bookmarks'); +OCP\JSON::callCheck(); $CONFIG_DBTYPE = OCP\Config::getSystemValue( "dbtype", "sqlite" ); if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){ diff --git a/apps/calendar/ajax/calendar/delete.php b/apps/calendar/ajax/calendar/delete.php index 4d6706f6002..089255cae39 100644 --- a/apps/calendar/ajax/calendar/delete.php +++ b/apps/calendar/ajax/calendar/delete.php @@ -9,6 +9,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); $cal = $_POST["calendarid"]; $calendar = OC_Calendar_App::getCalendar($cal, true); diff --git a/apps/calendar/ajax/calendar/edit.php b/apps/calendar/ajax/calendar/edit.php index 82f18fe7f44..3f69666b58c 100644 --- a/apps/calendar/ajax/calendar/edit.php +++ b/apps/calendar/ajax/calendar/edit.php @@ -9,6 +9,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); $calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions(); $calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true); diff --git a/apps/calendar/ajax/calendar/new.php b/apps/calendar/ajax/calendar/new.php index 278c8e5520b..34b056abe8f 100644 --- a/apps/calendar/ajax/calendar/new.php +++ b/apps/calendar/ajax/calendar/new.php @@ -11,6 +11,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); if(trim($_POST['name']) == ''){ OCP\JSON::error(array('message'=>'empty')); diff --git a/apps/calendar/ajax/calendar/update.php b/apps/calendar/ajax/calendar/update.php index 5cf63d396f7..740094775f5 100644 --- a/apps/calendar/ajax/calendar/update.php +++ b/apps/calendar/ajax/calendar/update.php @@ -11,6 +11,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); if(trim($_POST['name']) == ''){ OCP\JSON::error(array('message'=>'empty')); diff --git a/apps/calendar/ajax/event/delete.php b/apps/calendar/ajax/event/delete.php index f183d431afa..17e45c001e8 100644 --- a/apps/calendar/ajax/event/delete.php +++ b/apps/calendar/ajax/event/delete.php @@ -9,6 +9,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); $id = $_POST['id']; $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); diff --git a/apps/calendar/ajax/event/edit.php b/apps/calendar/ajax/event/edit.php index 1c3babc3d90..db78bf6e5e0 100644 --- a/apps/calendar/ajax/event/edit.php +++ b/apps/calendar/ajax/event/edit.php @@ -9,6 +9,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); $id = $_POST['id']; diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php index 04cf2fb0513..f4e2b36376d 100644 --- a/apps/calendar/ajax/event/move.php +++ b/apps/calendar/ajax/event/move.php @@ -7,6 +7,7 @@ */ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); $id = $_POST['id']; $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); diff --git a/apps/calendar/ajax/event/new.php b/apps/calendar/ajax/event/new.php index 30e2b0cae36..bc0439cc315 100644 --- a/apps/calendar/ajax/event/new.php +++ b/apps/calendar/ajax/event/new.php @@ -10,6 +10,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +OCP\JSON::callCheck(); $errarr = OC_Calendar_Object::validateRequest($_POST); if($errarr){ diff --git a/apps/calendar/ajax/import/import.php b/apps/calendar/ajax/import/import.php index 18e93e67b4a..c0cd1403763 100644 --- a/apps/calendar/ajax/import/import.php +++ b/apps/calendar/ajax/import/import.php @@ -8,6 +8,7 @@ //check for calendar rights or create new one ob_start(); OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); OCP\App::checkAppEnabled('calendar'); $nl="\r\n"; $comps = array('VEVENT'=>true, 'VTODO'=>true, 'VJOURNAL'=>true); diff --git a/apps/calendar/ajax/settings/setfirstday.php b/apps/calendar/ajax/settings/setfirstday.php index 056a6037524..97c24882939 100644 --- a/apps/calendar/ajax/settings/setfirstday.php +++ b/apps/calendar/ajax/settings/setfirstday.php @@ -7,6 +7,8 @@ */ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); + if(isset($_POST["firstday"])){ OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'firstday', $_POST["firstday"]); OCP\JSON::success(); diff --git a/apps/calendar/ajax/settings/settimeformat.php b/apps/calendar/ajax/settings/settimeformat.php index 8e95f6f3bf5..d09679b9270 100644 --- a/apps/calendar/ajax/settings/settimeformat.php +++ b/apps/calendar/ajax/settings/settimeformat.php @@ -7,6 +7,8 @@ */ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); + if(isset($_POST["timeformat"])){ OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timeformat', $_POST["timeformat"]); OCP\JSON::success(); diff --git a/apps/calendar/ajax/share/changepermission.php b/apps/calendar/ajax/share/changepermission.php index 2737420c94e..f3c628e8477 100644 --- a/apps/calendar/ajax/share/changepermission.php +++ b/apps/calendar/ajax/share/changepermission.php @@ -5,7 +5,8 @@ * later. * See the COPYING-README file. */ - + OCP\JSON::callCheck(); + $id = strip_tags($_GET['id']); $idtype = strip_tags($_GET['idtype']); $permission = (int) strip_tags($_GET['permission']); diff --git a/apps/calendar/ajax/share/share.php b/apps/calendar/ajax/share/share.php index 629a7b6b79f..babb8ce3f13 100644 --- a/apps/calendar/ajax/share/share.php +++ b/apps/calendar/ajax/share/share.php @@ -5,7 +5,8 @@ * later. * See the COPYING-README file. */ - + OCP\JSON::callCheck(); + $id = strip_tags($_GET['id']); $idtype = strip_tags($_GET['idtype']); switch($idtype){ diff --git a/apps/calendar/ajax/share/unshare.php b/apps/calendar/ajax/share/unshare.php index fe7c98452d7..09264070dde 100644 --- a/apps/calendar/ajax/share/unshare.php +++ b/apps/calendar/ajax/share/unshare.php @@ -5,7 +5,8 @@ * later. * See the COPYING-README file. */ - + OCP\JSON::callCheck(); + $id = strip_tags($_GET['id']); $idtype = strip_tags($_GET['idtype']); switch($idtype){ diff --git a/apps/external/ajax/setsites.php b/apps/external/ajax/setsites.php index f153735f094..0dbac3abb29 100644 --- a/apps/external/ajax/setsites.php +++ b/apps/external/ajax/setsites.php @@ -8,6 +8,7 @@ OCP\User::checkAdminUser(); +OCP\JSON::callCheck(); $sites = array(); for ($i = 0; $i < sizeof($_POST['site_name']); $i++) { diff --git a/apps/files/ajax/delete.php b/apps/files/ajax/delete.php index ed155de0dc7..161d820f735 100644 --- a/apps/files/ajax/delete.php +++ b/apps/files/ajax/delete.php @@ -4,6 +4,7 @@ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get data $dir = stripslashes($_GET["dir"]); diff --git a/apps/files/ajax/move.php b/apps/files/ajax/move.php index 945fe4e7b82..56171dd0ed3 100644 --- a/apps/files/ajax/move.php +++ b/apps/files/ajax/move.php @@ -4,6 +4,7 @@ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get data $dir = stripslashes($_GET["dir"]); diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php index edb78414872..7236deb65c9 100644 --- a/apps/files/ajax/newfile.php +++ b/apps/files/ajax/newfile.php @@ -4,6 +4,7 @@ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get the params $dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : ''; diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php index c5c37914c6a..ae92bcf09bb 100644 --- a/apps/files/ajax/newfolder.php +++ b/apps/files/ajax/newfolder.php @@ -4,6 +4,7 @@ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get the params $dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : ''; diff --git a/apps/files/ajax/rename.php b/apps/files/ajax/rename.php index e2fa3d54a61..8e98308eb5c 100644 --- a/apps/files/ajax/rename.php +++ b/apps/files/ajax/rename.php @@ -4,6 +4,7 @@ OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get data $dir = stripslashes($_GET["dir"]); diff --git a/apps/files_sharing/ajax/email.php b/apps/files_sharing/ajax/email.php index edf9eca4313..e931e5f77e6 100644 --- a/apps/files_sharing/ajax/email.php +++ b/apps/files_sharing/ajax/email.php @@ -1,5 +1,6 @@ <?php OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); OCP\JSON::checkAppEnabled('files_sharing'); $user = OCP\USER::getUser(); // TODO translations diff --git a/apps/files_sharing/ajax/setpermissions.php b/apps/files_sharing/ajax/setpermissions.php index 2f4c5da9788..13daab738de 100644 --- a/apps/files_sharing/ajax/setpermissions.php +++ b/apps/files_sharing/ajax/setpermissions.php @@ -3,6 +3,7 @@ require_once(OC::$APPSROOT . '/apps/files_sharing/lib_share.php'); OCP\JSON::checkAppEnabled('files_sharing'); OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); $source = '/'.OCP\USER::getUser().'/files'.$_POST['source']; $uid_shared_with = $_POST['uid_shared_with']; diff --git a/apps/files_sharing/ajax/share.php b/apps/files_sharing/ajax/share.php index ec3c25998af..fb28caf7b7e 100644 --- a/apps/files_sharing/ajax/share.php +++ b/apps/files_sharing/ajax/share.php @@ -3,6 +3,7 @@ require_once(OC::$APPSROOT . '/apps/files_sharing/lib_share.php'); OCP\JSON::checkAppEnabled('files_sharing'); OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); $userDirectory = '/'.OCP\USER::getUser().'/files'; $sources = explode(';', $_POST['sources']); diff --git a/apps/files_sharing/ajax/toggleresharing.php b/apps/files_sharing/ajax/toggleresharing.php index 673f00c5d18..ab8e82c8c3f 100644 --- a/apps/files_sharing/ajax/toggleresharing.php +++ b/apps/files_sharing/ajax/toggleresharing.php @@ -1,5 +1,7 @@ <?php +OCP\JSON::callCheck(); + OCP\JSON::checkAppEnabled('files_sharing'); OCP\JSON::checkAdminUser(); if ($_POST['resharing'] == true) { diff --git a/apps/files_sharing/ajax/togglesharewitheveryone.php b/apps/files_sharing/ajax/togglesharewitheveryone.php index dc1105f2f3c..96c43711cb5 100644 --- a/apps/files_sharing/ajax/togglesharewitheveryone.php +++ b/apps/files_sharing/ajax/togglesharewitheveryone.php @@ -1,5 +1,7 @@ <?php +OCP\JSON::callCheck(); + OCP\JSON::checkAppEnabled('files_sharing'); OCP\JSON::checkAdminUser(); if ($_POST['allowSharingWithEveryone'] == true) { diff --git a/apps/files_sharing/ajax/unshare.php b/apps/files_sharing/ajax/unshare.php index 9088bf42663..d291b719e38 100644 --- a/apps/files_sharing/ajax/unshare.php +++ b/apps/files_sharing/ajax/unshare.php @@ -3,6 +3,7 @@ require_once(OC::$APPSROOT . '/apps/files_sharing/lib_share.php'); OCP\JSON::checkAppEnabled('files_sharing'); OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); $source = '/'.OCP\USER::getUser().'/files'.$_POST['source']; $uid_shared_with = $_POST['uid_shared_with']; diff --git a/apps/files_texteditor/ajax/savefile.php b/apps/files_texteditor/ajax/savefile.php index f789112d7d7..aa24d07eef1 100644 --- a/apps/files_texteditor/ajax/savefile.php +++ b/apps/files_texteditor/ajax/savefile.php @@ -26,6 +26,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get paramteres $filecontents = isset($_POST['filecontents']) ? $_POST['filecontents'] : false; diff --git a/apps/files_versions/ajax/rollbackVersion.php b/apps/files_versions/ajax/rollbackVersion.php index 127592f3b58..77c6102ea76 100644 --- a/apps/files_versions/ajax/rollbackVersion.php +++ b/apps/files_versions/ajax/rollbackVersion.php @@ -1,6 +1,7 @@ <?php OCP\JSON::checkAppEnabled('files_versions'); +OCP\JSON::callCheck(); require_once('apps/files_versions/versions.php'); diff --git a/apps/gallery/ajax/createAlbum.php b/apps/gallery/ajax/createAlbum.php index 61e2e9ae2e9..e13dac6ad1a 100644 --- a/apps/gallery/ajax/createAlbum.php +++ b/apps/gallery/ajax/createAlbum.php @@ -24,6 +24,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('gallery'); +OCP\JSON::callCheck(); OC_Gallery_Album::create(OCP\USER::getUser(), $_GET['album_name']); diff --git a/apps/gallery/ajax/sharing.php b/apps/gallery/ajax/sharing.php index 1223320120b..c3d5989ae57 100644 --- a/apps/gallery/ajax/sharing.php +++ b/apps/gallery/ajax/sharing.php @@ -22,6 +22,7 @@ */ +OCP\JSON::callCheck(); if (!isset($_GET['token']) || !isset($_GET['operation'])) { OCP\JSON::error(array('cause' => 'Not enought arguments')); diff --git a/apps/tasks/ajax/addtask.php b/apps/tasks/ajax/addtask.php index 9f35e7f21ec..188e179236a 100644 --- a/apps/tasks/ajax/addtask.php +++ b/apps/tasks/ajax/addtask.php @@ -3,6 +3,7 @@ // Init owncloud OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('tasks'); +OCP\JSON::callCheck(); $calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true); $first_calendar = reset($calendars); diff --git a/apps/tasks/ajax/addtaskform.php b/apps/tasks/ajax/addtaskform.php index d86232e2da5..2795f393732 100644 --- a/apps/tasks/ajax/addtaskform.php +++ b/apps/tasks/ajax/addtaskform.php @@ -3,6 +3,7 @@ // Init owncloud OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('tasks'); +OCP\JSON::callCheck(); $calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true); $category_options = OC_Calendar_App::getCategoryOptions(); diff --git a/apps/tasks/ajax/delete.php b/apps/tasks/ajax/delete.php index e29add9b556..cc22c3e3873 100644 --- a/apps/tasks/ajax/delete.php +++ b/apps/tasks/ajax/delete.php @@ -23,6 +23,7 @@ // Init owncloud OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('tasks'); +OCP\JSON::callCheck(); $id = $_POST['id']; $task = OC_Calendar_App::getEventObject( $id ); diff --git a/apps/tasks/ajax/edittask.php b/apps/tasks/ajax/edittask.php index edcc8a7cdcd..77ecff13e66 100644 --- a/apps/tasks/ajax/edittask.php +++ b/apps/tasks/ajax/edittask.php @@ -3,6 +3,7 @@ // Init owncloud OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('tasks'); +OCP\JSON::callCheck(); $l10n = new OC_L10N('tasks'); |