From 944c29b96429ec95ac1371cb33cc43704a60c7b1 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Tue, 20 Nov 2018 16:02:03 +0100 Subject: Require POST for sending forms * Ensure that the form is submitted with a post request * Replaced several links with forms Closes #494 (Security Vulnerability) --- includes/pages/admin_rooms.php | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'includes/pages/admin_rooms.php') diff --git a/includes/pages/admin_rooms.php b/includes/pages/admin_rooms.php index 5be3f926..558145bc 100644 --- a/includes/pages/admin_rooms.php +++ b/includes/pages/admin_rooms.php @@ -72,7 +72,7 @@ function admin_rooms() } if ($request->input('show') == 'edit') { - if ($request->has('submit')) { + if ($request->hasPostData('submit')) { $valid = true; if ($request->has('name') && strlen(strip_request_item('name')) > 0) { @@ -178,7 +178,7 @@ function admin_rooms() ]) ]); } elseif ($request->input('show') == 'delete') { - if ($request->has('ack')) { + if ($request->hasPostData('ack')) { Room_delete($room_id); engelsystem_log('Room deleted: ' . $name); @@ -191,13 +191,9 @@ function admin_rooms() button(page_link_to('admin_rooms'), __('back'), 'back') ]), sprintf(__('Do you want to delete room %s?'), $name), - buttons([ - button( - page_link_to('admin_rooms', ['show' => 'delete', 'id' => $room_id, 'ack' => 1]), - __('Delete'), - 'delete btn-danger' - ) - ]) + form([ + form_submit('ack', __('Delete'), 'delete btn-danger'), + ], page_link_to('admin_rooms', ['show' => 'delete', 'id' => $room_id])), ]); } } -- cgit v1.2.3-54-g00ecf