Skip to content

Commit

Permalink
moved tokens again
Browse files Browse the repository at this point in the history
  • Loading branch information
@danielkerr
danielkerr committed Jan 4, 2024
1 parent 1eaa7d1 commit 241592d
Show file tree
Hide file tree
Showing 18 changed files with 54 additions and 46 deletions.
3 changes: 1 addition & 2 deletions upload/admin/controller/setting/setting.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,16 +182,15 @@ public function index(): void {
// CMS
$data['config_article_description_length'] = $this->config->get('config_article_description_length');
$data['config_comment_status'] = $this->config->get('config_comment_status');
$data['config_comment_guest'] = $this->config->get('config_comment_guest');
$data['config_comment_approve'] = $this->config->get('config_comment_approve');
$data['config_comment_interval'] = $this->config->get('config_comment_interval');

// Voucher
$data['config_voucher_min'] = $this->config->get('config_voucher_min');
$data['config_voucher_max'] = $this->config->get('config_voucher_max');

// Legal
$data['config_cookie_id'] = $this->config->get('config_cookie_id');

$data['config_gdpr_id'] = $this->config->get('config_gdpr_id');
$data['config_gdpr_limit'] = $this->config->get('config_gdpr_limit');

Expand Down
10 changes: 0 additions & 10 deletions upload/admin/view/template/setting/setting.twig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -392,16 +392,6 @@
<div class="form-text">{{ help_comment }}</div>
</div>
</div>
<div class="row mb-3">
<label class="col-sm-2 col-form-label">{{ entry_comment_guest }}</label>
<div class="col-sm-10">
<div class="form-check form-switch form-switch-lg">
<input type="hidden" name="config_comment_guest" value="0"/>
<input type="checkbox" name="config_comment_guest" value="1" id="input-comment-guest" class="form-check-input"{% if config_comment_guest %} checked{% endif %}/>
</div>
<div class="form-text">{{ help_comment_guest }}</div>
</div>
</div>
<div class="row mb-3">
<label class="col-sm-2 col-form-label">{{ entry_comment_approve }}</label>
<div class="col-sm-10">
Expand Down
4 changes: 3 additions & 1 deletion upload/catalog/controller/account/address.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,9 @@ public function form(): void {
$data['save'] = $this->url->link('account/address.save', 'language=' . $this->config->get('config_language') . '&customer_token=' . $this->session->data['customer_token'] . '&address_id=' . $this->request->get['address_id']);
}

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));
$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

if (isset($this->request->get['address_id'])) {
$this->load->model('account/address');
Expand Down
5 changes: 4 additions & 1 deletion upload/catalog/controller/account/affiliate.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,10 @@ public function index(): void {
];

$data['save'] = $this->url->link('account/affiliate.save', 'language=' . $this->config->get('config_language') . '&customer_token=' . $this->session->data['customer_token']);
$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));

$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$this->load->model('account/affiliate');

Expand Down
5 changes: 4 additions & 1 deletion upload/catalog/controller/account/edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,10 @@ public function index(): void {
$data['config_telephone_required'] = $this->config->get('config_telephone_required');

$data['save'] = $this->url->link('account/edit.save', 'language=' . $this->config->get('config_language') . '&customer_token=' . $this->session->data['customer_token']);
$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));

$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$this->load->model('account/customer');

Expand Down
2 changes: 1 addition & 1 deletion upload/catalog/controller/account/forgotten.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ public function reset(): void {
'href' => $this->url->link('account/forgotten.reset', 'language=' . $this->config->get('config_language'))
];

$this->session->data['reset_token'] = substr(bin2hex(openssl_random_pseudo_bytes(26)), 0, 26);
$this->session->data['reset_token'] = oc_token(26);

$data['save'] = $this->url->link('account/forgotten.password', 'language=' . $this->config->get('config_language') . '&email=' . urlencode($email) . '&code=' . $code . '&reset_token=' . $this->session->data['reset_token']);
$data['back'] = $this->url->link('account/login', 'language=' . $this->config->get('config_language'));
Expand Down
2 changes: 1 addition & 1 deletion upload/catalog/controller/account/login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ public function index(): void {
$data['redirect'] = '';
}

$this->session->data['login_token'] = substr(bin2hex(openssl_random_pseudo_bytes(26)), 0, 26);
$this->session->data['login_token'] = oc_token(26);

$data['login'] = $this->url->link('account/login.login', 'language=' . $this->config->get('config_language') . '&login_token=' . $this->session->data['login_token']);
$data['register'] = $this->url->link('account/register', 'language=' . $this->config->get('config_language'));
Expand Down
7 changes: 5 additions & 2 deletions upload/catalog/controller/account/register.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,13 @@ public function index(): void {
$data['config_telephone_display'] = $this->config->get('config_telephone_display');
$data['config_telephone_required'] = $this->config->get('config_telephone_required');

$this->session->data['register_token'] = substr(bin2hex(openssl_random_pseudo_bytes(26)), 0, 26);
$this->session->data['register_token'] = oc_token(26);

$data['register'] = $this->url->link('account/register.register', 'language=' . $this->config->get('config_language') . '&register_token=' . $this->session->data['register_token']);
$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));

$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$data['customer_groups'] = [];

Expand Down
2 changes: 1 addition & 1 deletion upload/catalog/controller/account/returns.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ public function add(): void {
'href' => $this->url->link('account/returns.add', 'language=' . $this->config->get('config_language'))
];

$this->session->data['return_token'] = substr(bin2hex(openssl_random_pseudo_bytes(26)), 0, 26);
$this->session->data['return_token'] = oc_token(26);

$data['save'] = $this->url->link('account/returns.save', 'language=' . $this->config->get('config_language') . '&return_token=' . $this->session->data['return_token']);

Expand Down
4 changes: 3 additions & 1 deletion upload/catalog/controller/checkout/payment_address.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ public function index(): string {
$data['error_upload_size'] = sprintf($this->language->get('error_upload_size'), $this->config->get('config_file_max_size'));
$data['config_file_max_size'] = ((int)$this->config->get('config_file_max_size') * 1024 * 1024);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));
$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$this->load->model('account/address');

Expand Down
4 changes: 3 additions & 1 deletion upload/catalog/controller/checkout/register.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@ public function index(): string {

$data['shipping_required'] = $this->cart->hasShipping();

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));
$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$data['customer_groups'] = [];

Expand Down
4 changes: 3 additions & 1 deletion upload/catalog/controller/checkout/shipping_address.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ public function index(): string {
$data['config_file_max_size'] = ((int)$this->config->get('config_file_max_size') * 1024 * 1024);
$data['payment_address_required'] = $this->config->get('config_checkout_payment_address');

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));
$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$this->load->model('account/address');

Expand Down
2 changes: 1 addition & 1 deletion upload/catalog/controller/checkout/voucher.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public function index(): void {

$data['help_amount'] = sprintf($this->language->get('help_amount'), $this->currency->format($this->config->get('config_voucher_min'), $this->session->data['currency']), $this->currency->format($this->config->get('config_voucher_max'), $this->session->data['currency']));

$this->session->data['voucher_token'] = substr(bin2hex(openssl_random_pseudo_bytes(26)), 0, 26);
$this->session->data['voucher_token'] = oc_token(26);

$data['save'] = $this->url->link('checkout/voucher.add', 'language=' . $this->config->get('config_language') . '&voucher_token=' . $this->session->data['voucher_token']);

Expand Down
32 changes: 15 additions & 17 deletions upload/catalog/controller/cms/comment.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,13 @@ public function index(): string {
$page = 1;
}

$data['text_login'] = sprintf($this->language->get('text_login'), $this->url->link('account/login', 'language=' . $this->config->get('config_language')), $this->url->link('account/register', 'language=' . $this->config->get('config_language')));
$data['logged'] = $this->customer->isLogged();
$data['login'] = $this->url->link('account/login', 'language=' . $this->config->get('config_language'));

$data['comment_guest'] = ($this->customer->isLogged() || $this->config->get('config_comment_guest') ? true : false);
$this->session->data['comment_token'] = oc_token(32);

// Create a login token to prevent brute force attacks
$data['comment_add'] = $this->url->link('cms/comment.add', 'language=' . $this->config->get('config_language') . '&article_id=' . $data['article_id'] . '&comment_token=' . $this->session->data['comment_token'] = oc_token(32), true);
$data['comment_add'] = $this->url->link('cms/comment.add', 'language=' . $this->config->get('config_language') . '&article_id=' . $data['article_id'] . '&comment_token=' . $this->session->data['comment_token'], true);
$data['like'] = $this->url->link('cms/comment.rating', 'language=' . $this->config->get('config_language') . '&article_id=' . $data['article_id'] . '&rate=1&comment_token=' . $this->session->data['comment_token'], true);
$data['dislike'] = $this->url->link('cms/comment.rating', 'language=' . $this->config->get('config_language') . '&article_id=' . $data['article_id'] . '&rate=0&comment_token=' . $this->session->data['comment_token'], true);

Expand Down Expand Up @@ -135,12 +136,6 @@ public function getList(): string {
$page = 1;
}

if ($this->customer->isLogged() || $this->config->get('config_comment_guest')) {
$data['comment_guest'] = true;
} else {
$data['comment_guest'] = false;
}

$limit = 5;

$data['comments'] = [];
Expand Down Expand Up @@ -184,6 +179,9 @@ public function getList(): string {

$data['refresh'] = $this->url->link('cms/comment.list', 'language=' . $this->config->get('config_language') . '&article_id=' . $article_id . '&page=' . $page, true);

$data['logged'] = $this->customer->isLogged();


return $this->load->view('cms/comment_list', $data);
}

Expand Down Expand Up @@ -292,10 +290,6 @@ public function add(): void {
$parent_id = 0;
}

if (!isset($this->request->get['comment_token']) || !isset($this->session->data['comment_token']) || $this->request->get['comment_token'] != $this->session->data['comment_token']) {
$json['error']['warning'] = $this->language->get('error_token');
}

$keys = [
'author',
'comment'
Expand All @@ -307,6 +301,14 @@ public function add(): void {
}
}

if (!isset($this->request->get['comment_token']) || !isset($this->session->data['comment_token']) || $this->request->get['comment_token'] != $this->session->data['comment_token']) {
$json['error']['warning'] = $this->language->get('error_token');
}

if (!$this->customer->isLogged()) {
$json['error']['warning'] = $this->language->get('error_login');
}

$this->load->model('cms/article');

$article_info = $this->model_cms_article->getArticle($article_id);
Expand All @@ -315,10 +317,6 @@ public function add(): void {
$json['error']['warning'] = $this->language->get('error_article');
}

if (!$this->customer->isLogged() && !$this->config->get('config_comment_guest')) {
$json['error']['warning'] = $this->language->get('error_login');
}

if ((oc_strlen($this->request->post['author']) < 3) || (oc_strlen($this->request->post['author']) > 25)) {
$json['error']['author'] = $this->language->get('error_author');
}
Expand Down
4 changes: 3 additions & 1 deletion upload/catalog/controller/product/product.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,9 @@ public function index(): ?\Opencart\System\Engine\Action {

$data['config_file_max_size'] = ((int)$this->config->get('config_file_max_size') * 1024 * 1024);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token'] = oc_token(32));
$this->session->data['upload_token'] = oc_token(32);

$data['upload'] = $this->url->link('tool/upload', 'language=' . $this->config->get('config_language') . '&upload_token=' . $this->session->data['upload_token']);

$data['product_id'] = $product_id;

Expand Down
4 changes: 3 additions & 1 deletion upload/catalog/language/en-gb/cms/comment.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,12 @@
$_['button_reply'] = 'Post Reply';
$_['button_replies'] = 'Show Replies';
$_['button_more'] = 'See more replies...';
$_['button_login'] = 'Login to Comment';
$_['button_login_reply'] = 'Login to Reply';

// Error
$_['error_article'] = 'Warning: Article could not be found!';
$_['error_article_comment'] = 'Warning: Article could not be found!';
$_['error_article_comment'] = 'Warning: Article comment could not be found!';
$_['error_token'] = 'Warning: Comment token invalid!';
$_['error_author'] = 'Your Name must be between 3 and 25 characters!';
$_['error_comment'] = 'Comment must be between 25 and 1000 characters!';
Expand Down
2 changes: 1 addition & 1 deletion upload/catalog/model/cms/article.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ public function getLayoutId(int $article_id): int {
* @return int
*/
public function addComment(int $article_id, array $data): int {
$this->db->query("INSERT INTO `" . DB_PREFIX . "article_comment` SET `article_id` = '" . (int)$article_id . "', `parent_id` = '" . (int)$data['parent_id'] . "', `customer_id` = '" . (int)$this->customer->getId() . "', `author` = '" . $this->db->escape((string)$data['author']) . "', `comment` = '" . $this->db->escape((string)$data['comment']) . "', `ip` = '" . $this->db->escape((string)$data['ip']) . "', `status` = '" . (bool)!empty($data['status']) . "', `date_added` = NOW()");
$this->db->query("INSERT INTO `" . DB_PREFIX . "article_comment` SET `article_id` = '" . (int)$article_id . "', `parent_id` = '" . (int)$data['parent_id'] . "', `customer_id` = '" . (int)$data['customer_id'] . "', `author` = '" . $this->db->escape((string)$data['author']) . "', `comment` = '" . $this->db->escape((string)$data['comment']) . "', `ip` = '" . $this->db->escape((string)$data['ip']) . "', `status` = '" . (bool)!empty($data['status']) . "', `date_added` = NOW()");

$this->cache->delete('comment');

Expand Down
4 changes: 2 additions & 2 deletions upload/catalog/view/template/cms/comment.twig
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
<div class="text-center">
<button type="button" value="{{ like }}" id="input-rating-like" data-oc-toggle="rate" class="btn btn-secondary"><i class="fa fa-thumbs-up"></i></button>
<button type="button" value="{{ dislike }}" id="input-rating-dislike" data-oc-toggle="rate" class="btn btn-secondary"><i class="fa fa-thumbs-down"></i></button>
{% if comment_guest %}
{% if logged %}
<button type="button" value="{{ comment_add }}" data-oc-toggle="comment" data-oc-target="#comment-0" data-oc-trigger="#button-refresh" class="btn btn-secondary">{{ button_comment }}</button>
{% else %}
<button type="button" class="btn btn-secondary" disabled>{{ button_comment }}</button>
<a href="" class="btn btn-secondary">{{ button_login }}</a>
{% endif %}
</div>
<hr/>
Expand Down

0 comments on commit 241592d

Please sign in to comment.