/[smeserver]/rpms/smeserver-manager/sme10/smeserver-manager-0.1.4-review_csrf_url.patch
ViewVC logotype

Annotation of /rpms/smeserver-manager/sme10/smeserver-manager-0.1.4-review_csrf_url.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Mon Nov 15 18:03:45 2021 UTC (3 years ago) by michel
Branch: MAIN
CVS Tags: smeserver-manager-0_1_4-22_el7_sme, smeserver-manager-0_1_4-17_el7_sme, smeserver-manager-0_1_4-33_el7_sme, smeserver-manager-0_1_4-10_el7_sme, smeserver-manager-0_1_4-19_el7_sme, smeserver-manager-0_1_4-26_el7_sme, smeserver-manager-0_1_4-18_el7_sme, smeserver-manager-0_1_4-27_el7_sme, smeserver-manager-0_1_4-11_el7_sme, smeserver-manager-0_1_4-16_el7_sme, smeserver-manager-0_1_4-8_el7_sme, smeserver-manager-0_1_4-3_el7_sme, smeserver-manager-0_1_4-32_el7_sme, smeserver-manager-0_1_4-31_el7_sme, smeserver-manager-0_1_4-20_el7_sme, smeserver-manager-0_1_4-25_el7_sme, smeserver-manager-0_1_4-13_el7_sme, smeserver-manager-0_1_4-28_el7_sme, smeserver-manager-0_1_4-12_el7_sme, smeserver-manager-0_1_4-15_el7_sme, smeserver-manager-0_1_4-5_el7_sme, smeserver-manager-0_1_4-14_el7_sme, smeserver-manager-0_1_4-6_el7_sme, smeserver-manager-0_1_4-34_el7_sme, smeserver-manager-0_1_4-24_el7_sme, smeserver-manager-0_1_4-29_el7_sme, smeserver-manager-0_1_4-23_el7_sme, smeserver-manager-0_1_4-9_el7_sme, smeserver-manager-0_1_4-4_el7_sme, smeserver-manager-0_1_4-7_el7_sme, smeserver-manager-0_1_4-21_el7_sme, HEAD
* Mon Nov 15 2021 Michel Begue <mab974@misouk.com> 0.1.4-3.sme
- Fix error message when linking, unlinking jquery in spec
- Correct the 'review' panel presentation
- Modify CSRFDefender plugin to take into account GET method
- Add TOKEN param where the GET method is used in templates
- Remove smanager from local url address

1 michel 1.1 diff -urN smeserver-manager-0.1.4.old/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body smeserver-manager-0.1.4/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body
2     --- smeserver-manager-0.1.4.old/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body 2021-06-21 13:25:10.000000000 +0400
3     +++ smeserver-manager-0.1.4/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body 2021-11-01 21:53:42.016000000 +0400
4     @@ -126,6 +126,20 @@
5     text-align: right;
6     }
7    
8     +td.label {
9     + font-weight: bold;
10     + background-color: #e8f3e1; /*lightgreen;*/
11     + width: 30%;
12     + text-align: right;
13     +}
14     +
15     +span.label2 {
16     + display: inline-block;
17     + font-weight: bold;
18     + background-color: #e8f3e1; /*lightgreen;*/
19     + text-align: right;
20     +}
21     +
22     span.data {
23     padding: 2px;
24     font-weight: bold;
25     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm
26     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm 1970-01-01 04:00:00.000000000 +0400
27     +++ smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm 2021-11-15 21:45:49.542000000 +0400
28     @@ -0,0 +1,244 @@
29     +package SrvMngr::Plugin::CSRFDefender;
30     +
31     +use strict;
32     +use warnings;
33     +use Carp;
34     +
35     +our $VERSION = '0.0.8-1';
36     +
37     +use base qw(Mojolicious::Plugin Class::Accessor::Fast);
38     +__PACKAGE__->mk_accessors(qw(
39     + parameter_name
40     + session_key
41     + token_length
42     + error_status
43     + error_content
44     + error_template
45     + onetime
46     + get_token_param
47     +
48     +));
49     +
50     +use String::Random;
51     +use Path::Class;
52     +
53     +sub register {
54     + my ($self, $app, $conf) = @_;
55     +
56     + # Plugin config
57     + $conf ||= {};
58     +
59     + # setting
60     + $self->parameter_name($conf->{parameter_name} || 'csrftoken');
61     + $self->session_key($conf->{session_key} || 'csrftoken');
62     + $self->token_length($conf->{token_length} || 32);
63     + $self->error_status($conf->{error_status} || 403);
64     + $self->error_content($conf->{error_content} || 'Forbidden');
65     + $self->onetime($conf->{onetime} || 0);
66     + if ($conf->{error_template}) {
67     + my $file = $app->home->rel_file($conf->{error_template});
68     + $self->error_template($file);
69     + }
70     + $self->get_token_param($conf->{get_token_param} || 'CsrfDef=TOKEN'); # added for GET method
71     +
72     + # input check
73     + $app->hook(before_dispatch => sub {
74     + my ($c) = @_;
75     + unless ($self->_validate_csrf($c)) {
76     + my $content;
77     + if ($self->error_template) {
78     + my $file = file($self->error_template);
79     + $content = $file->slurp;
80     + }
81     + else {
82     + $content = $self->{error_content},
83     + }
84     + $c->render(
85     + status => $self->{error_status},
86     + text => $content,
87     + );
88     + };
89     + });
90     +
91     + # output filter
92     + $app->hook(after_dispatch => sub {
93     + my ($c) = @_;
94     + my $token = $self->_get_csrf_token($c);
95     + my $p_name = $self->parameter_name;
96     + my $g_token = $self->get_token_param;
97     + my $body = $c->res->body;
98     + $body =~ s{(<form\s*[^>]*method=["']POST["'][^>]*>)}{$1\n<input type="hidden" name="$p_name" value="$token" />}isg;
99     + $body =~ s{(\?$g_token)}{\?$p_name=$token}isg; # added for GET method
100     + $c->res->body($body);
101     + });
102     +
103     + return $self;
104     +}
105     +
106     +sub _validate_csrf {
107     + my ($self, $c) = @_;
108     +
109     + my $p_name = $self->parameter_name;
110     + my $s_name = $self->session_key;
111     + my $request_token = $c->req->param($p_name);
112     + my $session_token = $c->session($s_name);
113     +
114     +# POST method or local GET with params.
115     + if ( $c->req->method eq 'POST' or ( $c->req->method eq 'GET' && %{$c->req->params->to_hash} ) ) {
116     + return 0 unless $request_token;
117     + return 0 unless $session_token;
118     + return 0 unless $request_token eq $session_token;
119     + # onetime
120     + $c->session($self->{session_key} => '') if $self->onetime;
121     + }
122     +
123     + return 1;
124     +}
125     +
126     +sub _get_csrf_token {
127     + my ($self, $c) = @_;
128     +
129     + my $key = $self->session_key;
130     + my $token = $c->session($key);
131     + my $length = $self->token_length;
132     + return $token if $token;
133     +
134     + $token = String::Random::random_regex("[a-zA-Z0-9_]{$length}");
135     + $c->session($key => $token);
136     + return $token;
137     +}
138     +
139     +1;
140     +
141     +__END__
142     +
143     +=head1 NAME
144     +
145     +Mojolicious::Plugin::CSRFDefender - Defend CSRF automatically in Mojolicious Application
146     +
147     +
148     +=head1 VERSION
149     +
150     +This document describes Mojolicious::Plugin::CSRFDefender.
151     +
152     +
153     +=head1 SYNOPSIS
154     +
155     + # Mojolicious
156     + $self->plugin('Mojolicious::Plugin::CSRFDefender');
157     +
158     + # Mojolicious::Lite
159     + plugin 'Mojolicious::Plugin::CSRFDefender';
160     +
161     +=head1 DESCRIPTION
162     +
163     +This plugin defends CSRF automatically in Mojolicious Application.
164     +Following is the strategy.
165     +
166     +=head2 output filter
167     +
168     +When the application response body contains form tags with method="post",
169     +this inserts hidden input tag that contains token string into forms in the response body.
170     +For example, the application response body is
171     +
172     + <html>
173     + <body>
174     + <form method="post" action="/get">
175     + <input name="text" />
176     + <input type="submit" value="send" />
177     + </form>
178     + </body>
179     + </html>
180     +
181     +this becomes
182     +
183     + <html>
184     + <body>
185     + <form method="post" action="/get">
186     + <input type="hidden" name="csrf_token" value="zxjkzX9RnCYwlloVtOVGCfbwjrwWZgWr" />
187     + <input name="text" />
188     + <input type="submit" value="send" />
189     + </form>
190     + </body>
191     + </html>
192     +
193     +=head2 input check
194     +
195     +For every POST requests, this module checks input parameters contain the collect token parameter. If not found, throws 403 Forbidden.
196     +
197     +=head1 OPTIONS
198     +
199     + plugin 'Mojolicious::Plugin::CSRFDefender' => {
200     + parameter_name => 'param-csrftoken',
201     + session_key => 'session-csrftoken',
202     + token_length => 40,
203     + error_status => 400,
204     + error_template => 'public/400.html',
205     + };
206     +
207     +=over 4
208     +
209     +=item parameter_name(default:"csrftoken")
210     +
211     +Name of the input tag for the token.
212     +
213     +=item session_key(default:"csrftoken")
214     +
215     +Name of the session key for the token.
216     +
217     +=item token_length(default:32)
218     +
219     +Length of the token string.
220     +
221     +=item error_status(default:403)
222     +
223     +Status code when CSRF is detected.
224     +
225     +=item error_content(default:"Forbidden")
226     +
227     +Content body when CSRF is detected.
228     +
229     +=item error_template
230     +
231     +Return content of the specified file as content body when CSRF is detected. Specify the file path from the application home directory.
232     +
233     +=item onetime(default:0)
234     +
235     +If specified with 1, this plugin uses onetime token, that is, whenever client sent collect token and this middleware detect that, token string is regenerated.
236     +
237     +=back
238     +
239     +=head1 METHODS
240     +
241     +L<Mojolicious::Plugin::CSRFDefender> inherits all methods from
242     +L<Mojolicious::Plugin> and implements the following new ones.
243     +
244     +=head2 C<register>
245     +
246     + $plugin->register;
247     +
248     +Register plugin in L<Mojolicious> application.
249     +
250     +=head1 SEE ALSO
251     +
252     +=over 4
253     +
254     +=item * L<Mojolicious>
255     +
256     +=back
257     +
258     +=head1 REPOSITORY
259     +
260     +https://github.com/shibayu36/p5-Mojolicious-Plugin-CSRFDefender
261     +
262     +=head1 AUTHOR
263     +
264     + C<< <shibayu36 {at} gmail.com> >>
265     +
266     +
267     +=head1 LICENCE AND COPYRIGHT
268     +
269     +Copyright (c) 2011, Yuki Shibazaki C<< <shibayu36 {at} gmail.com> >>. All rights reserved.
270     +
271     +This module is free software; you can redistribute it and/or
272     +modify it under the same terms as Perl itself. See L<perlartistic>.
273     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr.pm smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr.pm
274     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr.pm 2021-10-20 22:30:47.000000000 +0400
275     +++ smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr.pm 2021-11-14 22:36:45.633000000 +0400
276     @@ -23,7 +23,7 @@
277     use SrvMngr::Model::Main;
278    
279    
280     -our $VERSION = '1.401';
281     +our $VERSION = '1.403';
282     $VERSION = eval $VERSION;
283    
284     use Exporter 'import';
285     @@ -181,7 +181,9 @@
286     $self->plugin('RenderFile');
287    
288     # CSRF protection if production mode
289     - $self->plugin('Mojolicious::Plugin::CSRFDefender' => {
290     +# $self->plugin('Mojolicious::Plugin::CSRFDefender' => {
291     +# Adapted plugin for use with GET method
292     + $self->plugin('SrvMngr::Plugin::CSRFDefender' => {
293     onetime => 1,
294     error_status => 400,
295     error_content => 'Error: CSRF token is invalid or outdated'
296     @@ -814,4 +816,3 @@
297    
298    
299     1;
300     -
301     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep
302     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep 2021-06-21 13:25:10.000000000 +0400
303     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep 2021-11-05 23:55:48.000000000 +0400
304     @@ -42,13 +42,13 @@
305     %= t td => (class => 'sme-border') => $domain->{'Content'}
306     %= t td => (class => 'sme-border') => l('dom_' . $domain->{'Nameservers'})
307    
308     - % my $actionModify = "<a href='domains2?trt=UPD&Domain=" . $domain->{Domain} . "'>" . l('MODIFY') . "</a>";
309     + % my $actionModify = "<a href='domains2?CsrfDef=TOKEN&trt=UPD&Domain=" . $domain->{Domain} . "'>" . l('MODIFY') . "</a>";
310    
311     % my $removable = ($domain->{Removable} || 'yes');
312     % my $actionRemove = '&nbsp;';
313    
314     % if ($removable eq 'yes') {
315     - % $actionRemove = "<a href='domains2?trt=DEL&Domain=" . $domain->{Domain} . "'>" . l('REMOVE') . "</a>";
316     + % $actionRemove = "<a href='domains2?CsrfDef=TOKEN&trt=DEL&Domain=" . $domain->{Domain} . "'>" . l('REMOVE') . "</a>";
317     % }
318    
319     <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
320     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep
321     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep 2021-06-21 13:25:10.000000000 +0400
322     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep 2021-11-05 23:56:07.000000000 +0400
323     @@ -36,8 +36,8 @@
324     <tr>
325     %= t td => (class => 'sme-border') => $group->key
326     %= t td => (class => 'sme-border') => $group->prop('Description')
327     - <td class='sme-border'><a href="groups2?trt=UPD&group=<%= $group->key%>"><%=l 'MODIFY'%></a></td>
328     - <td class='sme-border'><a href="groups2?trt=DEL&group=<%= $group->key%>"><%=l 'REMOVE'%></a></td>
329     + <td class='sme-border'><a href="groups2?CsrfDef=TOKEN&trt=UPD&group=<%= $group->key%>"><%=l 'MODIFY'%></a></td>
330     + <td class='sme-border'><a href="groups2?CsrfDef=TOKEN&trt=DEL&group=<%= $group->key%>"><%=l 'REMOVE'%></a></td>
331     </tr>
332     % }
333     </tbody>
334     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep
335     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep 2021-06-21 13:25:10.000000000 +0400
336     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep 2021-11-14 22:21:06.985000000 +0400
337     @@ -3,7 +3,7 @@
338     <div id="h2e11">
339     <a target='_blank' href="http://www.koozali.org"><img src="images/smeserver_logo.jpg" height="40" alt="SME Server"></a>
340     </div>
341     - <div id="h2e12"><h5><a href="/smanager/">Server Manager II</a>
342     + <div id="h2e12"><h5><a href="initial">Server Manager II</a>
343     <a href="/server-manager" target='main'>&nbsp &nbsp (Previous)</a></h5>
344     </div>
345     </div>
346     @@ -14,13 +14,13 @@
347     <%= session 'SystemName' %>@<%= session 'DomainName' %></b>
348     </div>
349     <div id="h2e22">
350     - <a target="_parent" href="/smanager/manual">&nbsp;&nbsp;<b> ? </b>&nbsp;&nbsp;</a>&nbsp;
351     + <a target="_parent" href="manual">&nbsp;&nbsp;<b> ? </b>&nbsp;&nbsp;</a>&nbsp;
352     </div>
353     <div id="h2e23">
354     % if ( not defined $c->session->{username} ) {
355     <a target="_parent" href="login"><b>Login</b></a>&nbsp;
356     % } else {
357     - <a target="_parent" href="/smanager/logout"><b><%= $c->session->{username} %> Logout</b></a>&nbsp;
358     + <a target="_parent" href="logout"><b><%= $c->session->{username} %> Logout</b></a>&nbsp;
359     % }
360     </div>
361     </div>
362     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep
363     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep 2021-06-21 13:25:10.000000000 +0400
364     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep 2021-11-05 23:56:23.000000000 +0400
365     @@ -46,8 +46,8 @@
366     %= t td => (class => 'sme-border') => $_->{'Comment'};
367     % my ($actionModify, $actionRemove) = '&nbsp;';
368     % if ($_->{'static'} ne 'yes') {
369     - % $actionModify = "<a href='hostentriesd?trt=UPD&Hostname=" . $_->{'HostName'} . "'>" . l('MODIFY') . "</a>";
370     - % $actionRemove = "<a href='hostentriesd?trt=DEL&Hostname=" . $_->{'HostName'} . "'>" . l('REMOVE') . "</a>";
371     + % $actionModify = "<a href='hostentriesd?CsrfDef=TOKEN&trt=UPD&Hostname=" . $_->{'HostName'} . "'>" . l('MODIFY') . "</a>";
372     + % $actionRemove = "<a href='hostentriesd?CsrfDef=TOKEN&trt=DEL&Hostname=" . $_->{'HostName'} . "'>" . l('REMOVE') . "</a>";
373     % }
374     <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
375     <td class='sme-border'><%= $c->render_to_string(inline => $actionRemove) %></td>
376     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep
377     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep 2021-10-20 22:30:47.000000000 +0400
378     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep 2021-10-09 23:01:31.000000000 +0400
379     @@ -47,18 +47,18 @@
380     %= t td => (class => 'sme-border') => $ibay->prop('Name')
381     % my ($actionModify, $actionResetPw, $actionRemove) = '&nbsp;';
382     % if ($modifiable eq 'yes') {
383     - % $actionModify = "<a href='ibaysd?trt=UPD&ibay=" . $ibay->key . "'>" . l('MODIFY') . "</a>";
384     + % $actionModify = "<a href='ibaysd?CsrfDef=TOKEN&trt=UPD&ibay=" . $ibay->key . "'>" . l('MODIFY') . "</a>";
385     % }
386     % if ($passwordable eq 'yes') {
387     % if ($ibay->prop('PasswordSet') ne 'yes' && $needPassword) {
388     - % $actionResetPw .= "<a href='ibaysd?trt=PWD&ibay=" . $ibay->key . "' class='error'>" . l('PASSWORD_RESET') . "</a>";
389     + % $actionResetPw .= "<a href='ibaysd?CsrfDef=TOKEN&trt=PWD&ibay=" . $ibay->key . "' class='error'>" . l('PASSWORD_RESET') . "</a>";
390     % } else {
391     - % $actionResetPw .= "<a href='ibaysd?trt=PWD&ibay=" . $ibay->key . "'>" . l('PASSWORD_RESET') . "</a>";
392     + % $actionResetPw .= "<a href='ibaysd?CsrfDef=TOKEN&trt=PWD&ibay=" . $ibay->key . "'>" . l('PASSWORD_RESET') . "</a>";
393     % }
394     % $actionResetPw .= '&nbsp';
395     % }
396     % if ($removable eq 'yes') {
397     - % $actionRemove = "<a href='ibaysd?trt=DEL&ibay=" . $ibay->key . "'>" . l('REMOVE') . "</a>";
398     + % $actionRemove = "<a href='ibaysd?CsrfDef=TOKEN&trt=DEL&ibay=" . $ibay->key . "'>" . l('REMOVE') . "</a>";
399     % }
400     <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
401     <td class='sme-border'><%= $c->render_to_string(inline => $actionResetPw) %></td>
402     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep
403     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep 2020-11-19 11:53:26.000000000 +0400
404     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep 2021-11-05 23:56:34.000000000 +0400
405     @@ -82,7 +82,7 @@
406     %= t td => (class => 'sme-border') => $localnetwork->prop('Router')
407     % if ($removable eq "yes") {
408     <td class='sme-border'>
409     - <a href="/smanager/localnetworksd?trt=DEL&localnetwork=<%= $localnetwork->key%>"><%=l 'REMOVE'%></a></td>
410     + <a href="localnetworksd?CsrfDef=TOKEN&trt=DEL&localnetwork=<%= $localnetwork->key%>"><%=l 'REMOVE'%></a></td>
411     % } else {
412     <td class='sme-border'> </td>
413     %}
414     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep
415     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep 2020-11-19 11:53:26.000000000 +0400
416     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep 2021-11-05 23:56:46.000000000 +0400
417     @@ -98,7 +98,7 @@
418     %= t td => (class => 'sme-border') => $allow
419     %= t td => (class => 'sme-border') => $cmmnt
420     <td class='sme-border'>
421     - <a href="/smanager/portforwardingd?trt=DEL&sport=<%= $sport%>&proto=<%= $proto%>"><%=l 'REMOVE'%></a></td>
422     + <a href="portforwardingd?CsrfDef=TOKEN&trt=DEL&sport=<%= $sport%>&proto=<%= $proto%>"><%=l 'REMOVE'%></a></td>
423     </tr>
424     % }
425     % }
426     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep
427     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep 2021-10-20 22:30:47.000000000 +0400
428     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep 2021-11-05 23:56:56.000000000 +0400
429     @@ -55,7 +55,7 @@
430     %= t td => (class => 'sme-border') => $printer->prop('Location')
431     %= t td => (class => 'sme-border') => $address
432     %= t td => (class => 'sme-border') => $remoteName
433     - <td class='sme-border'><a href="printers2?trt=DEL&printer=<%= $printer->key%>"><%=l 'REMOVE'%></a></td>
434     + <td class='sme-border'><a href="printers2?CsrfDef=TOKEN&trt=DEL&printer=<%= $printer->key%>"><%=l 'REMOVE'%></a></td>
435     </tr>
436     % }
437     </tbody>
438     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep
439     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep 2021-06-21 13:25:10.000000000 +0400
440     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep 2021-11-05 23:57:06.000000000 +0400
441     @@ -52,10 +52,10 @@
442    
443     % my ($actionModify, $actionRemove) = '&nbsp;';
444     % if ($modifiable eq 'yes') {
445     - % $actionModify = "<a href='pseudonyms2?trt=UPD&pseudonym=" . $pseudonym->key . "'>" . l('MODIFY') . "</a>";
446     + % $actionModify = "<a href='pseudonyms2?CsrfDef=TOKEN&trt=UPD&pseudonym=" . $pseudonym->key . "'>" . l('MODIFY') . "</a>";
447     % }
448     % if ($removable eq 'yes') {
449     - % $actionRemove = "<a href='pseudonyms2?trt=DEL&pseudonym=" . $pseudonym->key . "'>" . l('REMOVE') . "</a>";
450     + % $actionRemove = "<a href='pseudonyms2?CsrfDef=TOKEN&trt=DEL&pseudonym=" . $pseudonym->key . "'>" . l('REMOVE') . "</a>";
451     % }
452    
453     <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
454     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep
455     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep 2021-10-20 22:30:47.000000000 +0400
456     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep 2021-11-05 23:57:15.000000000 +0400
457     @@ -56,7 +56,7 @@
458     %= t td => (class => 'sme-border') => sprintf("%.2f", $bs / 1024 )
459     %= t td => (class => 'sme-border') => sprintf("%.2f", $bh / 1024 )
460     %= t td => (class => 'sme-border') => sprintf("%.2f", $bc / 1024 )
461     - <td class='sme-border'><a href="quotad?trt=UPD&user=<%= $user->key%>"><%=l 'MODIFY'%></a></td>
462     + <td class='sme-border'><a href="quotad?CsrfDef=TOKEN&trt=UPD&user=<%= $user->key%>"><%=l 'MODIFY'%></a></td>
463     </tr>
464     % }
465     </tbody>
466     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep
467     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep 2021-10-20 22:30:47.000000000 +0400
468     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep 2021-10-10 23:46:45.000000000 +0400
469     @@ -60,19 +60,19 @@
470     %= t td => (class => 'sme-border') => $fwd
471     % my ($actionModify, $actionLock, $actionResetPw, $actionRemove) = '&nbsp;';
472     % if ($username eq 'admin') {
473     - % $actionModify = "<a href='useraccountsd?trt=UPS&user=" . $username . "'>" . l('MODIFY') . "</a>";
474     - % $actionResetPw = "<a href='useraccountsd?trt=PWS&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>";
475     + % $actionModify = "<a href='useraccountsd?CsrfDef=TOKEN&trt=UPS&user=" . $username . "'>" . l('MODIFY') . "</a>";
476     + % $actionResetPw = "<a href='useraccountsd?CsrfDef=TOKEN&trt=PWS&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>";
477     % } else {
478     - % $actionModify = "<a href='useraccountsd?trt=UPD&user=" . $username . "'>" . l('MODIFY') . "</a>";
479     + % $actionModify = "<a href='useraccountsd?CsrfDef=TOKEN&trt=UPD&user=" . $username . "'>" . l('MODIFY') . "</a>";
480     % if ($password_set ne 'yes') {
481     % $actionLock = l('ACCOUNT_LOCKED');
482     - % $actionResetPw = "<a href='useraccountsd?trt=PWD&user=" . $username . "' class='error'>" . l('PASSWORD_RESET') . "</a>";
483     + % $actionResetPw = "<a href='useraccountsd?CsrfDef=TOKEN&trt=PWD&user=" . $username . "' class='error'>" . l('PASSWORD_RESET') . "</a>";
484     % } else {
485     - % $actionLock = "<a href='useraccountsd?trt=LCK&user=" . $username . "'>" . l('usr_LOCK_ACCOUNT') . "</a>";
486     - % $actionResetPw = "<a href='useraccountsd?trt=PWD&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>";
487     + % $actionLock = "<a href='useraccountsd?CsrfDef=TOKEN&trt=LCK&user=" . $username . "'>" . l('usr_LOCK_ACCOUNT') . "</a>";
488     + % $actionResetPw = "<a href='useraccountsd?CsrfDef=TOKEN&trt=PWD&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>";
489     % }
490     % if ( $removable eq 'yes' ) {
491     - % $actionRemove = "<a href='useraccountsd?trt=DEL&user=" . $username . "'>" . l('REMOVE') . "</a>";
492     + % $actionRemove = "<a href='useraccountsd?CsrfDef=TOKEN&trt=DEL&user=" . $username . "'>" . l('REMOVE') . "</a>";
493     % }
494     % }
495     <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
496     diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/review.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/review.html.ep
497     --- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/review.html.ep 2020-11-19 11:53:26.000000000 +0400
498     +++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/review.html.ep 2021-07-27 21:08:13.000000000 +0400
499     @@ -8,123 +8,123 @@
500     %= form_for 'review' => begin
501     <b>
502     %=l 'rvw_NETWORKING_PARAMS'
503     - </b><br><br>
504     + </b><br>
505    
506     - <b>
507     + <p><span class=label>
508     %=l 'rvw_SERVER_MODE'
509     - </b>
510     + </span>
511     %= $rvw_datas->{servermode}
512     - <br>
513     + </p>
514    
515     - <b>
516     + <p><span class=label>
517     %=l 'rvw_LOCAL_IP_ADDRESS_SUBNET_MASK'
518     - </b>
519     + </span>
520     %= $rvw_datas->{localip}
521     - <br>
522     + </p>
523    
524     % if ( $rvw_datas->{publicip} ) {
525     - <b>
526     + <p><span class=label>
527     %=l 'rvw_INTERNET_VISIBLE_ADDRESS'
528     - </b>
529     + </span>
530     %= $rvw_datas->{publicip}
531     - <br>
532     + </p>
533     % }
534    
535     - <b>
536     + <p><span class=label>
537     %=l 'rvw_GATEWAY'
538     - </b>
539     + </span>
540     %= $rvw_datas->{gateway}
541     %= $rvw_datas->{serveronly}
542     - <br>
543     + </p>
544    
545     - <b>
546     + <p><table width='100%'><tr><td class=label><!--span class=label-->
547     %=l 'rvw_ADDITIONAL_LOCAL_NETWORKS'
548     - </b>
549     + <!--/span--></td><td>
550     %= $c->render_to_string( inline => $rvw_datas->{addlocalnetworks} );
551     - <br>
552     + </td></tr></table>
553     + </p>
554    
555     - <b>
556     + <p><span class=label>
557     %=l 'rvw_DHCP_SERVER'
558     - </b>
559     + </span>
560     %= $rvw_datas->{dhcpserver}
561     - <br>
562     - <br><br>
563     - <b>
564     + </p>
565     +
566     + <br><br><b>
567     %=l 'rvw_SERVER_NAMES'
568     - </b><br><br>
569     + </b><br>
570    
571     - <b>
572     + <p><span class=label>
573     %=l 'rvw_DNS_SERVER'
574     - </b>
575     + </span>
576     %= $rvw_datas->{dnsserver}
577     - <br>
578     + </p>
579    
580     - <b>
581     + <p><span class=label>
582     %=l 'rvw_WEB_SERVER'
583     - </b>
584     + </span>
585     %= $rvw_datas->{webserver}
586     - <br>
587     + </p>
588    
589     - <b>
590     + <p><span class=label>
591     %=l 'rvw_PROXY_SERVER'
592     - </b>
593     + </span>
594     %= $rvw_datas->{proxyserver}
595     - <br>
596     + </p>
597    
598     - <b>
599     + <p><span class=label>
600     %=l 'rvw_FTP_SERVER'
601     - </b>
602     + </span>
603     %= $rvw_datas->{ftpserver}
604     - <br>
605     + </p>
606    
607     - <b>
608     + <p><span class=label>
609     %=l 'rvw_SMTP_POP_AND_IMAP_MAIL_SERVERS'
610     - </b>
611     + </span>
612     %= $rvw_datas->{smtpserver}
613     - <br>
614     + </p>
615    
616     - <br><br>
617     - <b>
618     + <br><br><b>
619     %=l 'rvw_DOMAIN_INFORMATION'
620     - </b><br><br>
621     + </b><br>
622    
623     - <b>
624     + <p><span class=label>
625     %=l 'rvw_PRIMARY_DOMAIN'
626     - </b>
627     + </span>
628     %= $rvw_datas->{domainname}
629     - <br>
630     + </p>
631    
632     - <b>
633     + <p><span class=label>
634     %=l 'rvw_VIRTUAL_DOMAINS'
635     - </b>
636     + </span>
637     %= $rvw_datas->{virtualdomains}
638     - <br>
639     + </p>
640    
641     - <b>
642     + <p><span class=label>
643     %=l 'rvw_PRIMARY_WEB_SITE'
644     - </b>
645     + </span>
646     %= $rvw_datas->{primarywebsite}
647     - <br>
648     + </p>
649    
650     - <b>
651     + <p><span class=label>
652     %=l 'rvw_SERVER_MANAGER'
653     - </b>
654     + </span>
655     %= $rvw_datas->{servermanager}
656     - <br>
657     + </p>
658    
659     - <b>
660     + <p><span class=label>
661     %=l 'rvw_USER_PASSWORD_PANEL'
662     - </b>
663     + </span>
664     %= $rvw_datas->{usermanager}
665     - <br>
666     + </p>
667    
668     - <b>
669     + <p><table width='100%'><tr><td class=label>
670     %=l 'rvw_EMAIL_ADDRESSES'
671     - </b>
672     + </td><td>
673     %= $rvw_datas->{emailaddresses}
674     - <br>
675     -
676     - % end
677     + </td></tr></table></p>
678     +
679     + % end
680    
681     </div>
682    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed