pluginhandlers: post notice if pluginmethod is requested without CSRF token
This commit is contained in:
parent
00b31c3f53
commit
d439685895
|
@ -7,16 +7,22 @@ class PluginHandler extends Handler_Protected {
|
||||||
function catchall($method) {
|
function catchall($method) {
|
||||||
$plugin_name = clean($_REQUEST["plugin"]);
|
$plugin_name = clean($_REQUEST["plugin"]);
|
||||||
$plugin = PluginHost::getInstance()->get_plugin($plugin_name);
|
$plugin = PluginHost::getInstance()->get_plugin($plugin_name);
|
||||||
|
$csrf_token = ($_POST["csrf_token"] ?? "");
|
||||||
|
|
||||||
if ($plugin) {
|
if ($plugin) {
|
||||||
if (method_exists($plugin, $method)) {
|
if (method_exists($plugin, $method)) {
|
||||||
|
if (validate_csrf($csrf_token)) {
|
||||||
$plugin->$method();
|
$plugin->$method();
|
||||||
} else {
|
} else {
|
||||||
user_error("PluginHandler: Requested unknown method '$method' of plugin '$plugin_name'.", E_USER_WARNING);
|
user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED);
|
||||||
|
$plugin->$method();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);
|
||||||
print error_json(13);
|
print error_json(13);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
user_error("PluginHandler: Requested method '$method' of unknown plugin '$plugin_name'.", E_USER_WARNING);
|
user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING);
|
||||||
print error_json(14);
|
print error_json(14);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue