Changeset 14993


Ignore:
Timestamp:
2007/06/28 17:24:05 (13 years ago)
Author:
adati
Message:

CSRF対策:システム>メンバー管理の脆弱性を修正

Location:
branches/rel
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/rel/data/Smarty/templates/admin/system/input.tpl

    r12157 r14993  
    4242<input type="hidden" name="pageno" value="<!--{$tpl_pageno}-->"> 
    4343<input type="hidden" name="old_login_id" value="<!--{$tpl_old_login_id}-->"> 
     44<input type="hidden" name="uniqid" value="<!--{$tpl_uniqid}-->"> 
    4445    <tr valign="top"> 
    4546        <td class="mainbg"> 
  • branches/rel/html/admin/system/input.php

    r12157 r14993  
    4949    // ¥í¥°¥¤¥óID¤òÊݴɤ·¤Æ¤ª¤¯¡£ 
    5050    $objPage->tpl_old_login_id = $data_list[0]['login_id']; 
     51     
     52    $objPage->tpl_uniqid = $objSess->getUniqId(); 
    5153} else { 
    5254    // ¿·µ¬ºîÀ®¥â¡¼¥É 
     
    5759// ¿·µ¬ºîÀ®¥â¡¼¥É or ÊÔ½¸¥â¡¼¥É 
    5860if( $_POST['mode'] == 'new' || $_POST['mode'] == 'edit') { 
    59     // ÆþÎÏ¥¨¥é¡¼¥Á¥§¥Ã¥¯ 
     61    // ²èÌÌÁ«°Ü¤ÎÀµÅöÀ­¥Á¥§¥Ã¥¯ 
     62    if (sfIsValidTransition($objSess) == false) { 
     63        sfDispError(INVALID_MOVE_ERRORR); 
     64    } 
     65    // ÆþÎÏ¥¨¥é¡¼¥Á¥§¥Ã¥¯ 
    6066    $objPage->arrErr = fnErrorCheck($conn); 
    6167     
     
    98104    $objPage->tpl_onload="fnUpdateParent('".$url."')"; 
    99105} 
     106 
     107// ²èÌÌÁ«°Ü¤ÎÀµÅöÀ­¥Á¥§¥Ã¥¯ÍѤËuniqid¤òËä¤á¹þ¤à 
     108$objPage->tpl_uniqid = $objSess->getUniqId(); 
    100109 
    101110// ¥Æ¥ó¥×¥ì¡¼¥ÈÍÑÊÑ¿ô¤Î³ä¤êÅö¤Æ 
Note: See TracChangeset for help on using the changeset viewer.