Commit 2c0e8109 authored by Michael Kaczmarczik's avatar Michael Kaczmarczik Committed by Stefan Hornburg (Racke)
Browse files

Add token to prevent CSRF.

parent 32b15820
......@@ -29,6 +29,7 @@
[% IF is_privileged_owner %]
[% IF list_conf.status == 'closed' ~%]
<form name="manage_list_status" action="[% path_cgi %]" method="post">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<div>
<input class="MainMenuLinks" type="submit" name="action_open_list"
value="[%|loc%]Restore List[%END%]" />
......@@ -44,6 +45,7 @@
</a></p>
[%~ ELSE ~%]
<form name="manage_list_status" action="[% path_cgi %]" method="post">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<div>
<input class="MainMenuLinks" type="submit" name="action_close_list"
value="[%|loc%]Remove List[%END%]" />
......@@ -55,6 +57,7 @@
[% IF may_create_list && ! is_included ~%]
<form name="manage_list_name" action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<input class="MainMenuLinks" type="submit" name="action_rename_list_request" value="[%|loc%]Rename List[%END%]"/> [%|loc%]Allows you to change this list's name. Everything related to the list will be renamed, including the mail aliases and the web archives.[%END%]
<input type="hidden" name="list" value="[% list %]"/>
</fieldset>
......@@ -64,6 +67,7 @@
[% IF is_listmaster || is_owner %]
<form name="manage_shared_status" action="[% path_cgi %]" method="post">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<div>
[% IF shared == 'none' %]
<input class="MainMenuLinks" type="submit" name="action_d_admin" value="[%|loc%]Create Shared[%END%]"/> [%|loc%]Initializes the shared document web space.[%END%]
......
......@@ -14,6 +14,7 @@
</p>
<form class="noborder" name="zip_form" method="post" action="[% path_cgi %]">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<div>
<label for="directories">[%|loc%]Archive Selection:[%END%]</label><br />
<select name="directories" id="directories" multiple="multiple" size="4">
......
......@@ -95,6 +95,7 @@
<form method="post" action="[% path_cgi %]" class="noborder">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<input type="hidden" name="list" value="[% list %]" />
<input type="hidden" name="archive_name" value="[% archive_name %]" />
<input type="hidden" name="key_word" value="[% key_word %]" />
......
......@@ -11,6 +11,7 @@
<form id="bold_label" method="post" action="[% path_cgi %]">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<input name="list" type="hidden" value="[% list %]" />
<input name="archive_name" type="hidden" value="[% archive_name %]" />
......
......@@ -25,6 +25,7 @@
[% rows = rows+2 %]
<form class="noborder" action="[% 'blacklist' | url_rel %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<textarea name="blacklist" cols="80" rows="[% rows %]">
[%~ blacklist ~%]
</textarea><br />
......
......@@ -4,6 +4,7 @@
You will need this password to perform privileged operations.[%END%]
<br />
<form action="[% path_cgi %]" method="post">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<fieldset>
<input type="hidden" name="previous_action" value="[% previous_action %]" />
<input type="hidden" name="previous_list" value="[% previous_list %]" />
......
<!-- compose_mail.tt2 -->
<form class="noborder" action="[% path_cgi %]" method="post" name="compose_mail" enctype="multipart/form-data">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
[%|loc(user.email)%]From: %1[%END%]<br />
[% mailto = BLOCK ~%]
[% to | mailto(to) | obfuscate(listconf.spam_protection) %]
......
......@@ -227,6 +227,7 @@
[%~ END %]
<form action="[% path_cgi %]" method="POST">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
[% IF confirm_action == 'add' ~%]
[% FOREACH e = email ~%]
<input type="hidden" name="email" value="[% e %]" />
......
......@@ -4,6 +4,7 @@
<p>
<form id="cp_template" action="[% 'copy_template' | url_rel %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<legend><strong> [%|loc%]Input template[%END%]</strong> </legend>
<label>[%|loc%]Template name: [%END%]</label><strong> [% template_name %] </strong><br />
<label>[%|loc%]Scope: [%END%]</label>[% SWITCH scope -%]
......
......@@ -4,6 +4,7 @@
<p>[%|loc%]With this form, you can create and / or access lists created on the basis of parameters you define.[% END %]</p>
<form action="[% path_cgi %]" method="post" class="add-request"
name="create_automatic_list">
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
[% FOREACH p = family.description.class ~%]
<h2>[% p.stamp %]</h2>
<p> [% p.description %]</p>
......
......@@ -6,6 +6,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="listname">[%|loc%]List name:[%END%]</label><input type="text" id="listname" name="listname" size="30" value="[% saved.listname %]" />
<label for="owner">[%|loc%]Owner:[%END%]</label> <span>[% user.email %]</span>
<label for="list_type">[%|loc%]List type:[%END%]</label>
......@@ -81,6 +82,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<select name="list">
[% FOREACH l = all_lists %]
<option value="[% l.name %]">[% l.name %]</option>
......
......@@ -80,6 +80,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="read_access">[%|loc%]Read access[%END%]</label>
<select id="read_access" name="read_access">
[% FOREACH s = scenari_read %]
......@@ -103,6 +104,7 @@
[% IF set_owner %]
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="content">[%|loc(shared_doc.name)%]Set the owner of the directory %1[%END%]</label>
<input type="hidden" name="list" value="[% list %]" />
<input type="hidden" name="path" value="[% shared_doc.paths.join("/") %]" />
......
......@@ -74,6 +74,7 @@
[% IF shared_doc.type == 'url' ~%]
<form method="post" action="[% path_cgi %]">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="url">[%|loc%]Bookmark URL[%END%]</label>
<input id="url" name="url" value="[% shared_doc.url %]" />
<input class="MainMenuLinks" type="submit" value="[%|loc%]Update[%END%]"
......@@ -82,6 +83,7 @@
[%~ ELSE ~%]
<form method="post" action="[% path_cgi %]" enctype="multipart/form-data">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="uploaded_file">
[%|loc(shared_doc.name)%]Replace the file %1 with your file[%END%] </label>
<input id="uploaded_file" type="file" name="uploaded_file" />
......@@ -102,6 +104,7 @@
[% IF textfile %]
<form action="[% path_cgi %]" method="POST">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="content">[%|loc(shared_doc.name)%]Edit the file %1[%END%]</label>
<textarea id="content" name="content" cols="90" rows="25">
[%~ shared_doc.content ~%]
......
......@@ -8,6 +8,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<input id="mode_confirm" class="MainMenuLinks" type="submit" name="mode_confirm" value="[%|loc%]Confirm[%END%]" /></td>
<input id="mode_cancel" class="MainMenuLinks" type="submit" name="mode_cancel" value="[%|loc%]Cancel[%END%]" /></td>
<input type="hidden" name="list" value="[% list %]" />
......
......@@ -86,6 +86,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="content">
[% IF shared_doc.type == 'directory' %]
[%|loc(shared_doc.name)%]Describe directory '%1'[%END%]
......@@ -105,6 +106,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="new_name">
[% IF shared_doc.type == 'directory' %]
[%|loc(shared_doc.name)%]Rename directory %1[%END%]
......
......@@ -295,6 +295,7 @@
<form method="post" action="[% path_cgi %]">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<h6>
[% IF shared_doc.paths.size ~%]
[%|loc(shared_doc.name)%]Create a new folder inside folder %1[%END%]
......@@ -315,6 +316,7 @@
<form method="post" action="[% path_cgi %]">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<h6> [%|loc%]Create a new file[%END%]</h6>
<label for="name_file">[%|loc%]File name[%END%]</label> <input id="name_file" maxlength="30" type="text" name="new_name" />
<input class="MainMenuLinks" type="submit" value="[%|loc%]Create[%END%]" name="action_d_create_child" />
......@@ -328,6 +330,7 @@
<form method="post" action="[% path_cgi %]">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<h6>[%|loc%]Add a bookmark[%END%]</h6>
<label for="name_title">[%|loc%]title[%END%]</label>
<input id="name_title" maxlength="100" size="25" type="text"
......@@ -345,6 +348,7 @@
<form method="post" action="[% path_cgi %]" enctype="multipart/form-data" >
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<h6>
[% IF shared_doc.paths.size %]
[%|loc(shared_doc.name)%]Upload a file inside folder %1[%END%]
......@@ -363,6 +367,7 @@
[% IF total_edit ~%]
<form method="post" action="[% path_cgi %]" enctype="multipart/form-data" >
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<h6>
[% IF shared_doc.paths.size ~%]
[%|loc(shared_doc.name)%]Unzip a file inside the folder %1[%END%]
......
......@@ -11,6 +11,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<label for="mode_delete">[%|loc(shortname)%]Do you want to delete the old file %1?[%END%]</label>
<input id="mode_delete" class="MainMenuLinks" type="submit" name="mode_delete" value="[%|loc%]Delete[%END%]" />
<label for="new_name">[%|loc(shortname)%]Do you want to rename your file %1?[%END%]</label>
......
......@@ -4,6 +4,7 @@
<form class="noborder toggleContainer" data-toggle-selector="input[name='id']"
action="[% path_cgi %]" method="POST" name="moderate_shared">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<input type="hidden" name="list" value="[% list %]" />
<input class="MainMenuLinks" type="submit" name="action_d_install_shared" value="[%|loc%]Install[%END%]" />
<input class="MainMenuLinks" type="submit" name="action_d_reject_shared.quiet" value="[%|loc%]Reject[%END%]" />
......
......@@ -20,6 +20,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<textarea cols="80" rows="10" name="new_scenario_content">[% dumped_scenario %]</textarea><br />
<input type="hidden" name="list" value="[% list %]" />
<input type="hidden" name="pname" value="[% pname %]" />
......
......@@ -17,6 +17,7 @@
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="csrftoken" value="[% csrftoken %]" />
<input type="hidden" name="previous_action" value="[% previous_action %]" />
<input type="hidden" name="list" value="[% list %]" />
<input type="hidden" name="role" value="[% pS.name %]" />
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment