Last active
March 23, 2017 10:53
-
-
Save Bolean/d816a1ec8497b4cfc17bd44a781f21d5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/app/addons/email_marketing/func.php b/app/addons/email_marketing/func.php | |
index e3ebe99..dae9cab 100644 | |
--- a/app/addons/email_marketing/func.php | |
+++ b/app/addons/email_marketing/func.php | |
@@ -353,3 +353,16 @@ function fn_em_get_company_condition() | |
return $condition; | |
} | |
+ | |
+/** | |
+ * Enables CSRF validation for the "em_subscribers.update" controller at customer area. | |
+ */ | |
+function fn_email_marketing_csrf_validate_request_pre($params, &$validation_required) | |
+{ | |
+ if (!$validation_required) { | |
+ $validation_required = $params['server']['REQUEST_METHOD'] == 'POST' | |
+ && $params['area'] == 'C' | |
+ && $params['controller'] == 'em_subscribers' | |
+ && $params['mode'] == 'update'; | |
+ } | |
+} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/app/addons/email_marketing/init.php b/app/addons/email_marketing/init.php | |
new file mode 100644 | |
index 0000000..0a53bf9 | |
--- /dev/null | |
+++ b/app/addons/email_marketing/init.php | |
@@ -0,0 +1,17 @@ | |
+<?php | |
+/*************************************************************************** | |
+ * * | |
+ * (c) 2004 Vladimir V. Kalynyak, Alexey V. Vinokurov, Ilya M. Shalnev * | |
+ * * | |
+ * This is commercial software, only users who have purchased a valid * | |
+ * license and accept to the terms of the License Agreement can install * | |
+ * and use this program. * | |
+ * * | |
+ **************************************************************************** | |
+ * PLEASE READ THE FULL TEXT OF THE SOFTWARE LICENSE AGREEMENT IN THE * | |
+ * "copyright.txt" FILE PROVIDED WITH THIS DISTRIBUTION PACKAGE. * | |
+ ****************************************************************************/ | |
+ | |
+fn_register_hooks( | |
+ 'csrf_validate_request_pre' | |
+); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/app/functions/fn.common.php b/app/functions/fn.common.php | |
index 10f30e5..6148679 100644 | |
--- a/app/functions/fn.common.php | |
+++ b/app/functions/fn.common.php | |
@@ -6371,7 +6371,6 @@ function fn_get_secondary_currency() | |
function fn_is_csrf_protection_enabled($auth) | |
{ | |
return Registry::get('config.tweaks.anti_csrf') | |
- && !empty($auth['user_id']) | |
&& !defined('CONSOLE') | |
&& !defined('API'); | |
} | |
@@ -6393,9 +6392,31 @@ function fn_is_csrf_protection_enabled($auth) | |
*/ | |
function fn_csrf_validate_request($params) | |
{ | |
- // Check is performed only for admin area and "profiles" controller of customer area | |
- if ($params['area'] == 'A' || ($params['area'] == 'C' && $params['controller'] == 'profiles')) { | |
+ $validation_required = false; | |
+ /** | |
+ * Allows to require CSRF validation in certain cases. | |
+ * | |
+ * @param array $params List of parameters: | |
+ * * server - $_SERVER array | |
+ * * request - $_REQUEST array | |
+ * * session - Tygh::$app['session'] array | |
+ * * controller - curently running controller | |
+ * * mode - currently running mode of controller | |
+ * * action & dispatch_extra - additional dispatch parameters | |
+ * * auth - Tygh::$app['session']['auth'] data | |
+ * * area - 'A' or 'C' | |
+ * | |
+ * @param bool $validation_required A flag indicating whether the CSRF validation is required, defaults to false | |
+ */ | |
+ fn_set_hook('csrf_validate_request_pre', $params, $validation_required); | |
+ | |
+ // By default validation is only performed for admin area and "profiles" controller of customer area | |
+ if (!$validation_required) { | |
+ $validation_required = $params['area'] == 'A' || ($params['area'] == 'C' && $params['controller'] == 'profiles'); | |
+ } | |
+ | |
+ if ($validation_required) { | |
$trusted_controllers = array('payment_notification'); | |
if ($params['server']['REQUEST_METHOD'] == 'POST' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment