Changes up to 2.3.7 merged into unstable branch.

[fa-stable.git] / includes / ui / ui_controls.inc

diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index 6965b2167cf013b99c1f2b5f3ddff269ad54f198..fa4f62d78abed3af5ddc62e80ed75ee436c06351 100644 (file)
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -53,11 +53,27 @@ function start_form($multi=false, $dummy=false, $action="", $name="")
 
 function end_form($breaks=0)
 {
+       global $Ajax;
+
+       $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
        if ($breaks)
                br($breaks);
-       echo "<input type=\"hidden\" name=\"_focus\" value=\"".get_post('_focus')."\">\n";
-       echo "<input type=\"hidden\" name=\"_modified\" value=\"".get_post('_modified', 0)."\">\n";
+       hidden('_focus');
+       hidden('_modified', get_post('_modified', 0));
+       hidden('_token', $_SESSION['csrf_token']);
        echo "</form>\n";
+       $Ajax->activate('token');
+}
+
+function check_csrf_token()
+{
+       if ($_SESSION['csrf_token'] != @$_POST['_token'])
+       {
+               display_error(_("Request from outside of this page is forbidden."));
+               error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')');
+               return false;
+       }
+       return true;
 }
 
 function start_table($class=false, $extra="", $padding='2', $spacing='0')
@@ -415,6 +431,15 @@ function tabbed_content_end() {
        div_end(); // tabs widget
 }
 
+function tab_changed($name)
+{
+       $to = find_submit("{$name}_", false);
+       if (!$to) return null;
+
+       return array('from' => $from = get_post("_{$name}_sel"),
+               'to' => $to);
+}
+
 /* Table editor interfaces. Key is editor type
        0 => url of editor page
        1 => hotkey code