From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'

---
 interface/web/admin/language_add.php |   58 ++++++++++++++++++++++++++++++++++------------------------
 1 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php
index a296171..f58a2db 100644
--- a/interface/web/admin/language_add.php
+++ b/interface/web/admin/language_add.php
@@ -27,11 +27,12 @@
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
+require_once '../../lib/config.inc.php';
+require_once '../../lib/app.inc.php';
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
@@ -46,13 +47,13 @@
 $language_option = '';
 $error = '';
 $msg = '';
-$selected_language = (isset($_REQUEST['lng_select']))?substr($_REQUEST['lng_select'],0,2):'en';
+$selected_language = (isset($_REQUEST['lng_select']))?substr($_REQUEST['lng_select'], 0, 2):'en';
 if(!preg_match("/^[a-z]{2}$/i", $selected_language)) die('unallowed characters in selected language name.');
 
-$handle = opendir(ISPC_ROOT_PATH.'/lib/lang/'); 
-while ($file = readdir ($handle)) { 
-    if ($file != '.' && $file != '..') {
-		$tmp_lng = substr($file,0,-4);
+$handle = opendir(ISPC_ROOT_PATH.'/lib/lang/');
+while ($file = readdir($handle)) {
+	if ($file != '.' && $file != '..') {
+		$tmp_lng = substr($file, 0, -4);
 		if($tmp_lng !='') {
 			$selected = ($tmp_lng == $selected_language)?'SELECTED':'';
 			$language_option .= "<option value='$tmp_lng' $selected>$tmp_lng</option>";
@@ -60,29 +61,33 @@
 		}
 	}
 }
-$app->tpl->setVar('language_option',$language_option);
-$app->tpl->setVar('error',$error);
+$app->tpl->setVar('language_option', $language_option);
+$app->tpl->setVar('error', $error);
 
 if(isset($_POST['lng_new']) && strlen($_POST['lng_new']) == 2 && $error == '') {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$lng_new = $_POST['lng_new'];
 	if(!preg_match("/^[a-z]{2}$/i", $lng_new)) die('unallowed characters in language name.');
-	
+
 	//* Copy the main language file
-	copy(ISPC_LIB_PATH."/lang/$selected_language.lng",ISPC_LIB_PATH."/lang/$lng_new.lng");
-	
+	copy(ISPC_LIB_PATH."/lang/$selected_language.lng", ISPC_LIB_PATH."/lang/$lng_new.lng");
+
 	//* Make a copy of every language file
 	$bgcolor = '#FFFFFF';
 	$language_files_list = array();
-	$handle = @opendir(ISPC_WEB_PATH); 
-	while ($file = @readdir ($handle)) { 
-	   	if ($file != '.' && $file != '..') {
-	        if(@is_dir(ISPC_WEB_PATH.'/'.$file.'/lib/lang')) {
+	$handle = @opendir(ISPC_WEB_PATH);
+	while ($file = @readdir($handle)) {
+		if ($file != '.' && $file != '..') {
+			if(@is_dir(ISPC_WEB_PATH.'/'.$file.'/lib/lang')) {
 				$handle2 = opendir(ISPC_WEB_PATH.'/'.$file.'/lib/lang');
-				while ($lang_file = @readdir ($handle2)) {
-					if ($lang_file != '.' && $lang_file != '..' && substr($lang_file,0,2) == $selected_language) {
-						$new_lang_file = $lng_new.substr($lang_file,2);
+				while ($lang_file = @readdir($handle2)) {
+					if ($lang_file != '.' && $lang_file != '..' && substr($lang_file, 0, 2) == $selected_language) {
+						$new_lang_file = $lng_new.substr($lang_file, 2);
 						//echo ISPC_WEB_PATH.'/'.$file.'/lib/lang/'.$lang_file.' ## '.ISPC_WEB_PATH.'/'.$file.'/lib/lang/'.$new_lang_file;
-						copy(ISPC_WEB_PATH.'/'.$file.'/lib/lang/'.$lang_file,ISPC_WEB_PATH.'/'.$file.'/lib/lang/'.$new_lang_file);
+						copy(ISPC_WEB_PATH.'/'.$file.'/lib/lang/'.$lang_file, ISPC_WEB_PATH.'/'.$file.'/lib/lang/'.$new_lang_file);
 						$msg = 'Added new language '.$lng_new;
 					}
 				}
@@ -91,15 +96,20 @@
 	}
 }
 
-$app->tpl->setVar('msg',$msg);
+$app->tpl->setVar('msg', $msg);
 
-//* load language file 
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('language_add');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
+
+//* load language file
 $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng';
-include($lng_file);
+include $lng_file;
 $app->tpl->setVar($wb);
 
 $app->tpl_defaults();
 $app->tpl->pparse();
 
 
-?>
\ No newline at end of file
+?>

--
Gitblit v1.9.1