From 67f45cfa781ef4b446676e199470e421f5463812 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 11 Sep 2010 01:46:45 -0700
Subject: Add CSRF protection to the upgrader.  And update the CLI output so
 that it tells you which modules failed to upgrade properly.  Fixes ticket
 #1359.

---
 modules/gallery/controllers/upgrader.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'modules/gallery/controllers/upgrader.php')

diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php
index 6613d671..b2646874 100644
--- a/modules/gallery/controllers/upgrader.php
+++ b/modules/gallery/controllers/upgrader.php
@@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller {
       // @todo this may screw up some module installers, but we don't have a better answer at
       // this time.
       $_SERVER["HTTP_HOST"] = "example.com";
-    } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
-      access::forbidden();
+    } else {
+      if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
+        access::forbidden();
+      }
+
+      try {
+        access::verify_csrf();
+      } catch (Exception $e) {
+        url::redirect("upgrader");
+      }
     }
 
     $available = module::available();
@@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller {
     site_status::clear("upgrade_now");
 
     if (php_sapi_name() == "cli") {
-      print "Upgrade complete\n";
+      if ($failed) {
+        print "Upgrade completed ** WITH FAILURES **\n";
+        print "The following modules were not successfully upgraded:\n";
+        print "  " . implode($failed, "\n  ") . "\n";
+        print "Try getting newer versions or deactivating those modules\n";
+      } else {
+        print "Upgrade complete\n";
+      }
     } else {
       url::redirect("upgrader?failed=" . join(",", $failed));
     }
-- 
cgit v1.2.3