From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'

---
 interface/web/admin/language_edit.php |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php
index fda70a6..c94a5eb 100644
--- a/interface/web/admin/language_edit.php
+++ b/interface/web/admin/language_edit.php
@@ -32,6 +32,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
@@ -54,10 +55,14 @@
 
 //* Save data
 if(isset($_POST['records']) && is_array($_POST['records'])) {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$file_content = "<?php\n";
 	foreach($_POST['records'] as $key => $val) {
 		$val = stripslashes($val);
-		$val = str_replace('"', '\"', $val);
+		$val = preg_replace('/(^|[^\\\\])((\\\\\\\\)*)"/', '$1$2\\"', $val);
 		$val = str_replace('$', '', $val);
 		$file_content .= '$wb['."'$key'".'] = "'.$val.'";'."\n";
 		$msg = 'File saved.';
@@ -92,6 +97,11 @@
 	unset($wb);
 }
 
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('language_edit');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
+
 
 //* load language file
 $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_edit.lng';

--
Gitblit v1.9.1