diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-09-11 01:46:45 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-09-11 01:46:45 -0700 |
| commit | 67f45cfa781ef4b446676e199470e421f5463812 (patch) | |
| tree | 751fabecfcd5892f100604dd9ed2bb947d9c0b08 | |
| parent | a88b3f580812e7670933a6d695c89ef93f0142d4 (diff) | |
Add CSRF protection to the upgrader. And update the CLI output so
that it tells you which modules failed to upgrade properly. Fixes
ticket #1359.
| -rw-r--r-- | modules/gallery/controllers/upgrader.php | 21 | ||||
| -rw-r--r-- | modules/gallery/views/upgrader.html.php | 2 |
2 files changed, 19 insertions, 4 deletions
diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php index 6613d671..b2646874 100644 --- a/modules/gallery/controllers/upgrader.php +++ b/modules/gallery/controllers/upgrader.php @@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller { // @todo this may screw up some module installers, but we don't have a better answer at // this time. $_SERVER["HTTP_HOST"] = "example.com"; - } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { - access::forbidden(); + } else { + if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { + access::forbidden(); + } + + try { + access::verify_csrf(); + } catch (Exception $e) { + url::redirect("upgrader"); + } } $available = module::available(); @@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller { site_status::clear("upgrade_now"); if (php_sapi_name() == "cli") { - print "Upgrade complete\n"; + if ($failed) { + print "Upgrade completed ** WITH FAILURES **\n"; + print "The following modules were not successfully upgraded:\n"; + print " " . implode($failed, "\n ") . "\n"; + print "Try getting newer versions or deactivating those modules\n"; + } else { + print "Upgrade complete\n"; + } } else { url::redirect("upgrader?failed=" . join(",", $failed)); } diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index c2d8a552..554cf30d 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -84,7 +84,7 @@ </div> <? else: ?> <div id="upgrade_button" class="button button-active"> - <a id="upgrade_link" href="<?= url::site("upgrader/upgrade") ?>"> + <a id="upgrade_link" href="<?= url::site("upgrader/upgrade?csrf=__CSRF__") ?>"> <?= t("Upgrade all") ?> </a> </div> |