diff options
author | Steve Beaver <sbeaver@netgate.com> | 2018-09-17 16:22:34 -0400 |
---|---|---|
committer | Steve Beaver <sbeaver@netgate.com> | 2018-09-18 14:27:32 -0400 |
commit | da266efdbcddadbccbefce3b62ea2783496463b2 (patch) | |
tree | 7bf1fdd428cafcc30e93d0aca93db78f729b46c3 | |
parent | b1aa39323e02d93ae8fa0b0de2f8afe3ed325534 (diff) | |
download | pfsense-da266efdbcddadbccbefce3b62ea2783496463b2.zip pfsense-da266efdbcddadbccbefce3b62ea2783496463b2.tar.gz |
Don't allow deletion when spoofing another userkey
(cherry picked from commit 3fd4f32c344573addea1dbb44dddef63b0e793e3)
-rw-r--r-- | src/usr/local/www/services_acb.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/usr/local/www/services_acb.php b/src/usr/local/www/services_acb.php index b8732e3..c1ed112 100644 --- a/src/usr/local/www/services_acb.php +++ b/src/usr/local/www/services_acb.php @@ -31,10 +31,6 @@ $legacy = false; if (isset($_REQUEST['legacy'])) { $legacy = true; -} else { - if (isset($_REQUEST['userkey'] )) { - $userkey = $_REQUEST['userkey']; - } } // Encryption password @@ -537,7 +533,11 @@ if (!$legacy) { <td> <a class="fa fa-undo" title="<?=gettext('Restore this revision')?>" href="services_acb.php?hostname=<?=urlencode($hostname)?>&userkey=<?=urlencode($userkey)?>&newver=<?=urlencode($cv['time'])?><?=($legacy ? "&legacy=true":"")?>" onclick="return confirm('<?=gettext("Are you sure you want to restore {$cv['localtime']}?")?>')"></a> <a class="fa fa-download" title="<?=gettext('Show info')?>" href="services_acb.php?download=<?=urlencode($cv['time'])?>&hostname=<?=urlencode($hostname)?>&userkey=<?=urlencode($userkey)?>&reason=<?=urlencode($cv['reason'])?><?=($legacy ? "&legacy=true":"")?> "></a> - <a class="fa fa-trash" title="<?=gettext('Delete config')?>" href="services_acb.php?hostname=<?=urlencode($hostname)?>&userkey=<?=urlencode($userkey)?>&rmver=<?=urlencode($cv['time'])?><?=($legacy ? "&legacy=true":"")?>"></a> +<?php + if ($userkey == $origkey) { +?> + <a class="fa fa-trash" title="<?=gettext('Delete config')?>" href="services_acb.php?hostname=<?=urlencode($hostname)?>&rmver=<?=urlencode($cv['time'])?><?=($legacy ? "&legacy=true":"")?>"></a> +<?php } ?> </td> </tr> <?php $counter++; |