diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 19:10:32 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 19:10:32 +0200 |
| commit | 56ffc115d15bf136bfced74707ccc1f41c7b5e44 (patch) | |
| tree | 6149b276b06d5d8fe295c020bed842f91c0bcd15 | |
| parent | e6fd34bdda5d067a9e74714aaae10c89ed998a46 (diff) | |
Do not mix POST and GET params
Avoid returning CSRF POST token for a GET
| -rwxr-xr-x | app/Controllers/configureController.php | 4 | ||||
| -rw-r--r-- | app/Models/Auth.php | 2 | ||||
| -rwxr-xr-x | app/views/entry/bookmark.phtml | 19 | ||||
| -rwxr-xr-x | app/views/entry/read.phtml | 19 | ||||
| -rwxr-xr-x | app/views/helpers/logs_pagination.phtml | 2 | ||||
| -rw-r--r-- | app/views/index/global.phtml | 2 |
6 files changed, 23 insertions, 25 deletions
diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index d0f0bd68b..147a2fe06 100755 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -139,7 +139,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { */ public function sharingAction() { if (Minz_Request::isPost()) { - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); FreshRSS_Context::$user_conf->sharing = $params['share']; FreshRSS_Context::$user_conf->save(); invalidateHttpCache(); @@ -282,7 +282,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { foreach (FreshRSS_Context::$user_conf->queries as $key => $query) { $queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao); } - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); $params['url'] = Minz_Url::display(array('params' => $params)); $params['name'] = _t('conf.query.number', count($queries) + 1); $queries[] = new FreshRSS_UserQuery($params, $feed_dao, $category_dao); diff --git a/app/Models/Auth.php b/app/Models/Auth.php index f0e8db5a2..b93942e19 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -173,7 +173,7 @@ class FreshRSS_Auth { return true; //Not logged in yet } if ($token === null) { - $token = Minz_Request::param('_csrf'); + $token = Minz_Request::fetchPOST('_csrf'); } return $token === $csrf; } diff --git a/app/views/entry/bookmark.phtml b/app/views/entry/bookmark.phtml index 6b5a4ed03..d85706669 100755 --- a/app/views/entry/bookmark.phtml +++ b/app/views/entry/bookmark.phtml @@ -1,17 +1,16 @@ <?php header('Content-Type: application/json; charset=UTF-8'); -if (Minz_Request::param('is_favorite', true)) { - Minz_Request::_param('is_favorite', 0); -} else { - Minz_Request::_param('is_favorite', 1); -} - -$url = Minz_Url::display(array( +$url = array( 'c' => Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_favorite'] = Minz_Request::param('is_favorite', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_favorite') ? 'non-starred' : 'starred'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_favorite'] === '1' ? 'non-starred' : 'starred') + )); diff --git a/app/views/entry/read.phtml b/app/views/entry/read.phtml index 7d0e3de82..73977d94b 100755 --- a/app/views/entry/read.phtml +++ b/app/views/entry/read.phtml @@ -1,17 +1,16 @@ <?php header('Content-Type: application/json; charset=UTF-8'); -if (Minz_Request::param('is_read', true)) { - Minz_Request::_param('is_read', 0); -} else { - Minz_Request::_param('is_read', 1); -} - -$url = Minz_Url::display(array( +$url = array( 'c' => Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_read'] = Minz_Request::param('is_read', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_read') ? 'unread' : 'read'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_read'] === '1' ? 'unread' : 'read') + )); diff --git a/app/views/helpers/logs_pagination.phtml b/app/views/helpers/logs_pagination.phtml index 58b3c68f4..bf9d91f04 100755 --- a/app/views/helpers/logs_pagination.phtml +++ b/app/views/helpers/logs_pagination.phtml @@ -1,7 +1,7 @@ <?php $c = Minz_Request::controllerName(); $a = Minz_Request::actionName(); - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); ?> <?php if ($this->nbPage > 1) { ?> diff --git a/app/views/index/global.phtml b/app/views/index/global.phtml index 0ffa3bc54..1e53e4f8c 100644 --- a/app/views/index/global.phtml +++ b/app/views/index/global.phtml @@ -14,7 +14,7 @@ $url_base = array( 'c' => 'index', 'a' => 'normal', - 'params' => Minz_Request::params() + 'params' => Minz_Request::fetchGET(), ); foreach ($this->categories as $cat) { |