Settings: Add $form->protect + redirect to the same page is token is not valid

jmontoyaa · jmontoyaa · commit e757c63ac8d1 · 2021-08-18T13:10:33.000+02:00
diff --git a/main/admin/settings.lib.php b/main/admin/settings.lib.php
@@ -159,7 +159,7 @@ function handlePluginUpload()
     $form = new FormValidator(
         'plugin_upload',
         'post',
-        'settings.php?category=Plugins#tabs-4'
+        api_get_path(WEB_CODE_PATH).'admin/settings.php?category=Plugins#tabs-4'
     );
     $form->addElement(
         'file',
@@ -397,8 +397,9 @@ function handleStylesheets()
     $form = new FormValidator(
         'stylesheet_upload',
         'post',
-        'settings.php?category=Stylesheets#tabs-3'
+        api_get_path().'admin/settings.php?category=Stylesheets#tabs-3'
     );
+    $form->protect();
     $form->addElement(
         'text',
         'name_stylesheet',
@@ -1640,8 +1641,9 @@ function generateSettingsForm($settings, $settings_by_access_list)
     $form = new FormValidator(
         'settings',
         'post',
-        'settings.php?category='.Security::remove_XSS($_GET['category'])
+        api_get_path(WEB_CODE_PATH).'admin/settings.php?category='.Security::remove_XSS($_GET['category'])
     );
+    $form->protect();
 
     $form->addElement(
         'hidden',
@@ -1965,6 +1967,11 @@ function generateSettingsForm($settings, $settings_by_access_list)
         }
 
         switch ($row['variable']) {
+            case 'upload_extensions_replace_by':
+                $default_values[$row['variable']] = api_replace_dangerous_char(
+                    str_replace('.', '', $default_values[$row['variable']])
+                );
+                break;
             case 'pdf_export_watermark_enable':
                 $url = PDF::get_watermark(null);
 
diff --git a/main/inc/lib/pear/HTML/QuickForm.php b/main/inc/lib/pear/HTML/QuickForm.php
@@ -1430,6 +1430,11 @@ public function validate()
             $check = Security::check_token('form', $this);
             Security::clear_token();
             if (false === $check) {
+                // Redirect to the same URL + show token not validated message.
+                $url = $this->getAttribute('action');
+                Display::addFlash(Display::return_message(get_lang('NotValidated'), 'warning'));
+                api_location($url);
+
                 return false;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -1430,6 +1430,11 @@ public function validate()`
`1430`	`1430`	`$check = Security::check_token('form', $this);`
`1431`	`1431`	`Security::clear_token();`
`1432`	`1432`	`if (false === $check) {`
	`1433`	`+ // Redirect to the same URL + show token not validated message.`
	`1434`	`+ $url = $this->getAttribute('action');`
	`1435`	`+ Display::addFlash(Display::return_message(get_lang('NotValidated'), 'warning'));`
	`1436`	`+ api_location($url);`
	`1437`	`+`
`1433`	`1438`	`return false;`
`1434`	`1439`	`}`
`1435`	`1440`	`}`