From 5ca959fa688255a8de61f89fe2751eb4d24a6912 Mon Sep 17 00:00:00 2001
From: Florian Schaal <florian@schaal-24.de>
Date: Tue, 22 Mar 2016 09:22:07 -0400
Subject: [PATCH] fixed typo

---
 interface/web/admin/remote_action_osupdate.php |   21 ++++++++++++---------
 1 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php
index 4000d7f..5e73cdf 100644
--- a/interface/web/admin/remote_action_osupdate.php
+++ b/interface/web/admin/remote_action_osupdate.php
@@ -32,6 +32,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_osupdate');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
@@ -61,6 +62,10 @@
  * If the user wants to do the action, write this to our db
 */
 if (isset($_POST['server_select'])) {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$server = $_POST['server_select'];
 	$servers = array();
 	if ($server == '*') {
@@ -75,21 +80,19 @@
 	}
 	foreach ($servers as $serverId) {
 		$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
-			"VALUES (".
-			$app->functions->intval($serverId) . ", " .
-			time() . ", " .
-			"'os_update', " .
-			"'', " .
-			"'pending', " .
-			"''" .
-			")";
-		$app->db->query($sql);
+			"VALUES (?, UNIX_TIMESTAMP(), 'os_update', '', 'pending', '')";
+		$app->db->query($sql, $serverId);
 	}
 	$msg = $wb['action_scheduled'];
 }
 
 $app->tpl->setVar('msg', $msg);
 
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('osupdate');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
+
 $app->tpl->setVar($wb);
 
 $app->tpl_defaults();

--
Gitblit v1.9.1