Skip to content

Commit 387808b

Browse files
AngelFQCAngelFQC
committed
Security: Social: Add sec_token when commenting posts
Fix GHSA-33gm-vrgh-m239
1 parent ad03014 commit 387808b

File tree

2 files changed

+16
-5
lines changed

2 files changed

+16
-5
lines changed

main/inc/ajax/social.ajax.php

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,10 @@
220220
exit;
221221
}
222222

223+
if (!Security::check_token('get', null, 'wall')) {
224+
exit;
225+
}
226+
223227
$messageId = isset($_GET['id']) ? (int) $_GET['id'] : 0;
224228

225229
if (empty($messageId)) {
@@ -240,7 +244,10 @@
240244
);
241245
if ($messageId) {
242246
$messageInfo = MessageManager::get_message_by_id($messageId);
243-
echo SocialManager::processPostComment($messageInfo);
247+
JsonResponse::create([
248+
'secToken' => Security::get_token('wall'),
249+
'postHTML' => SocialManager::processPostComment($messageInfo),
250+
])->send();
244251
}
245252
}
246253
}

main/inc/lib/social.lib.php

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1891,7 +1891,7 @@ public static function getWallPostComments(
18911891

18921892
$formattedList .= '</div>';
18931893
$formattedList .= '<div class="mediapost-form row">';
1894-
$formattedList .= '<form class="form-horizontal" id="form_comment_'.$messageId.'" name="post_comment" method="POST">
1894+
$formattedList .= '<form class="form-horizontal" id="form_comment_'.$messageId.'" name="post_comment" method="POST" data-sec-token="'.Security::get_existing_token('wall').'">
18951895
<div class="col-sm-9">
18961896
<label for="comment" class="hide">'.get_lang('SocialWriteNewComment').'</label>
18971897
<input type="hidden" name = "messageId" value="'.$messageId.'" />
@@ -1902,6 +1902,7 @@ public static function getWallPostComments(
19021902
<em class="fa fa-pencil"></em> '.get_lang('Post').'
19031903
</a>
19041904
</div>
1905+
<input type="hidden" name="wall_sec_token" value="'.Security::get_existing_token('wall').'">
19051906
</form>';
19061907
$formattedList .= '</div>';
19071908

@@ -3021,15 +3022,18 @@ public static function getScrollJs($countPost, &$htmlHeadXtra)
30213022
$htmlHeadXtra[] = '<script>
30223023
function submitComment(messageId)
30233024
{
3024-
var data = $("#form_comment_"+messageId).serializeArray();
3025+
var $form = $("#form_comment_"+messageId);
3026+
var data = $form.serializeArray();
30253027
$.ajax({
30263028
type : "POST",
3027-
url: "'.$socialAjaxUrl.'?a=send_comment" + "&id=" + messageId,
3029+
url: "'.$socialAjaxUrl.'?a=send_comment" + "&id=" + messageId + "&wall_sec_token=" + $form.data("sec-token"),
30283030
data: data,
30293031
success: function (result) {
30303032
if (result) {
3033+
$(".mediapost-form form").data({ "sec-token": result.secToken });
3034+
30313035
$("#post_" + messageId + " textarea").val("");
3032-
$("#post_" + messageId + " .sub-mediapost").prepend(result);
3036+
$("#post_" + messageId + " .sub-mediapost").prepend(result.postHTML);
30333037
$("#post_" + messageId + " .sub-mediapost").append(
30343038
$(\'<div id=result_\' + messageId +\'>'.addslashes(get_lang('Saved')).'</div>\')
30353039
);

0 commit comments

Comments
 (0)