From fc0edb2f00bcdc6baaaa29f9041e82f3003b9b44 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Sun, 07 Jun 2015 12:16:19 -0400
Subject: [PATCH] Merge branch 'master' into 'master'

---
 interface/lib/classes/tform_base.inc.php |   22 ++++++++++------------
 1 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index d030c55..784e96a 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -416,12 +416,10 @@
 
 		/* CSRF PROTECTION */
 		// generate csrf protection id and key
-		$_csrf_id = uniqid($this->formDef['name'] . '_');
-		$_csrf_value = sha1(uniqid(microtime(true), true));
-		if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array();
-		if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array();
-		$_SESSION['_csrf'][$_csrf_id] = $_csrf_value;
-		$_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour
+		$csrf_token = $app->auth->csrf_token_get($this->formDef['name']);
+		$_csrf_id = $csrf_token['csrf_id'];
+		$_csrf_value = $csrf_token['csrf_key'];
+		
 		$this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
@@ -471,7 +469,7 @@
 						if(is_array($field['value'])) {
 							foreach($field['value'] as $k => $v) {
 								$selected = ($k == $val)?' SELECTED':'';
-								if(!empty($this->wordbook[$v]))
+								if(isset($this->wordbook[$v]))
 									$v = $this->wordbook[$v];
 								$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
 							}
@@ -709,13 +707,11 @@
 				}
 				if($_csrf_valid !== true) {
 					$app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN);
+					$errmsg = 'err_csrf_attempt_blocked';
+					$this->errorMessage .= ($api == true ? $errmsg : $this->wordbook[$errmsg]."<br />") . "\r\n";
 					unset($_POST);
 					unset($record);
 				}
-				$_SESSION['_csrf'][$_csrf_id] = ' ';
-				$_SESSION['_csrf_timeout'][$_csrf_id] = ' ';
-				unset($_SESSION['_csrf'][$_csrf_id]);
-				unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 				
 				if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {
 					$to_unset = array();
@@ -723,6 +719,8 @@
 						if($timeout < time()) $to_unset[] = $_csrf_id;
 					}
 					foreach($to_unset as $_csrf_id) {
+						$_SESSION['_csrf'][$_csrf_id] = null;
+						$_SESSION['_csrf_timeout'][$_csrf_id] = null;
 						unset($_SESSION['_csrf'][$_csrf_id]);
 						unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 					}
@@ -943,7 +941,7 @@
 				}
 				break;
 			case 'NOTEMPTY':
-				if(empty($field_value)) {
+				if(!isset($field_value) || $field_value === '') {
 					$errmsg = $validator['errmsg'];
 					if(isset($this->wordbook[$errmsg])) {
 						$this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";

--
Gitblit v1.9.1