From ebd0e986ed11f2a34fb58cdd33efbfab192083ad Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 22 Apr 2016 05:26:17 -0400
Subject: [PATCH] Added PHP 7 check in installer and updater.

---
 interface/lib/classes/tform.inc.php |   16 +++++++++++-----
 1 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index 94f72c0..1722a77 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -386,12 +386,17 @@
 		
 		/* CSRF PROTECTION */
 		// generate csrf protection id and key
-		$_csrf_id = uniqid($this->formDef['name'] . '_');
+		/*$_csrf_id = uniqid($this->formDef['name'] . '_');
 		$_csrf_value = sha1(uniqid(microtime(true), true));
 		if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array();
 		if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array();
 		$_SESSION['_csrf'][$_csrf_id] = $_csrf_value;
 		$_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour
+		*/
+		$csrf_token = $app->auth->csrf_token_get($this->formDef['name']);
+		$_csrf_id = $csrf_token['csrf_id'];
+		$_csrf_value = $csrf_token['csrf_key'];
+		
 		$this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
@@ -669,6 +674,7 @@
 		//$this->errorMessage = '';
 		
 		/* CSRF PROTECTION */
+		
 		if(isset($_POST) && is_array($_POST)) {
 			$_csrf_valid = false;
 			if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) {
@@ -680,13 +686,11 @@
 			}
 			if($_csrf_valid !== true) {
 				$app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN);
+				$errmsg = 'err_csrf_attempt_blocked';
+				$this->errorMessage .= ($api == true ? $errmsg : $this->wordbook[$errmsg]."<br />") . "\r\n";
 				unset($_POST);
 				unset($record);
 			}
-			$_SESSION['_csrf'][$_csrf_id] = ' ';
-			$_SESSION['_csrf_timeout'][$_csrf_id] = ' ';
-			unset($_SESSION['_csrf'][$_csrf_id]);
-			unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 			
 			if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {
 				$to_unset = array();
@@ -694,6 +698,8 @@
 					if($timeout < time()) $to_unset[] = $_csrf_id;
 				}
 				foreach($to_unset as $_csrf_id) {
+					$_SESSION['_csrf'][$_csrf_id] = null;
+					$_SESSION['_csrf_timeout'][$_csrf_id] = null;
 					unset($_SESSION['_csrf'][$_csrf_id]);
 					unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 				}

--
Gitblit v1.9.1