security/core#74 Prevent CSRF in CKEditor Config screen by switching to using Quickfo...

author Seamus Lee <seamuslee001@gmail.com>

Tue, 12 May 2020 05:07:32 +0000 (15:07 +1000)

committer Seamus Lee <seamuslee001@gmail.com>

Wed, 19 Aug 2020 06:16:45 +0000 (16:16 +1000)
author Seamus Lee <seamuslee001@gmail.com>
Tue, 12 May 2020 05:07:32 +0000 (15:07 +1000)
committer Seamus Lee <seamuslee001@gmail.com>
Wed, 19 Aug 2020 06:16:45 +0000 (16:16 +1000)
diff --git a/CRM/Admin/Page/CKEditorConfig.php b/CRM/Admin/Form/CKEditorConfig.php

similarity index 95%

rename from CRM/Admin/Page/CKEditorConfig.php

rename to CRM/Admin/Form/CKEditorConfig.php

index fb42b9e7b58aeece9ded68f33a30c13fc46dffe0..92180dbb4ccc678d6cd625bec09135593e3a4be6 100644 (file)
--- a/CRM/Admin/Page/CKEditorConfig.php
+++ b/CRM/Admin/Form/CKEditorConfig.php
@@ -16,13 +16,9 @@
   */
  
  /**
- * Page for configuring CKEditor options.
- *
- * Note that while this is implemented as a CRM_Core_Page, it is actually a form.
- * Because the form needs to be submitted and refreshed via javascript, it seemed like
- * Quickform and CRM_Core_Form/Controller might get in the way.
+ * Form for configuring CKEditor options.
   */
-class CRM_Admin_Page_CKEditorConfig extends CRM_Core_Page {
+class CRM_Admin_Form_CKEditorConfig extends CRM_Core_Form {
  
    const CONFIG_FILEPATH = '[civicrm.files]/persist/crm-ckeditor-';
  
@@ -52,9 +48,8 @@ class CRM_Admin_Page_CKEditorConfig extends CRM_Core_Page {
     *
     * @return string
     */
-  public function run() {
+  public function preProcess() {
      $this->preset = CRM_Utils_Array::value('preset', $_REQUEST, 'default');
-
      // If the form was submitted, take appropriate action.
      if (!empty($_POST['revert'])) {
        self::deleteConfigFile($this->preset);
@@ -97,7 +92,7 @@ class CRM_Admin_Page_CKEditorConfig extends CRM_Core_Page {
        ],
      ]);
  
-    return parent::run();
+    return parent::preProcess();
    }
  
    /**
diff --git a/CRM/Core/Resources.php b/CRM/Core/Resources.php

index 40dd3b09782ff88268e34fcffeddc28af162ed90..0fdc57cf21ded218925ae180b11156b934f0e5e8 100644 (file)
--- a/CRM/Core/Resources.php
+++ b/CRM/Core/Resources.php
@@ -760,11 +760,11 @@ class CRM_Core_Resources {
      // add wysiwyg editor
      $editor = Civi::settings()->get('editor_id');
      if ($editor == "CKEditor") {
-      CRM_Admin_Page_CKEditorConfig::setConfigDefault();
+      CRM_Admin_Form_CKEditorConfig::setConfigDefault();
        $items[] = [
          'config' => [
            'wysisygScriptLocation' => Civi::paths()->getUrl("[civicrm.root]/js/wysiwyg/crm.ckeditor.js"),
-          'CKEditorCustomConfig' => CRM_Admin_Page_CKEditorConfig::getConfigUrl(),
+          'CKEditorCustomConfig' => CRM_Admin_Form_CKEditorConfig::getConfigUrl(),
          ],
        ];
      }
diff --git a/CRM/Core/xml/Menu/Admin.xml b/CRM/Core/xml/Menu/Admin.xml

index acf56251f115fccd4a34b6bf21dc4f5129d96b32..20b52451cc27c20c438e6643e304fe25000f42c8 100644 (file)
--- a/CRM/Core/xml/Menu/Admin.xml
+++ b/CRM/Core/xml/Menu/Admin.xml
@@ -670,7 +670,7 @@
    <item>
      <path>civicrm/admin/ckeditor</path>
      <title>Configure CKEditor</title>
-    <page_callback>CRM_Admin_Page_CKEditorConfig</page_callback>
+    <page_callback>CRM_Admin_Form_CKEditorConfig</page_callback>
      <access_arguments>administer CiviCRM</access_arguments>
    </item>
  </menu>
diff --git a/js/wysiwyg/admin.ckeditor-configurator.js b/js/wysiwyg/admin.ckeditor-configurator.js

index 6c44806754b7628f144356f1aeac4fb869401c76..00d1372e6a112ac4334451c076bc8f5dfdeb5e35 100644 (file)
--- a/js/wysiwyg/admin.ckeditor-configurator.js
+++ b/js/wysiwyg/admin.ckeditor-configurator.js
@@ -109,7 +109,7 @@
      var selectorOpen = false,
        changedWhileOpen = false;
  
-    $('#toolbarModifierForm')
+    $('#CKEditorConfig')
        .on('submit', function(e) {
          $('.toolbar button:last', '#toolbarModifierWrapper')[0].click();
          $('.configContainer textarea', '#toolbarModifierWrapper').attr('name', 'config');
@@ -117,7 +117,7 @@
        .on('change', '.config-param', function(e) {
          changedWhileOpen = true;
          if (!selectorOpen) {
-          $('#toolbarModifierForm').submit().block();
+          $('#CKEditorConfig').submit().block();
          }
        })
        .on('change', 'input.crm-config-option-name', changeOptionName)
diff --git a/templates/CRM/Admin/Page/CKEditorConfig.tpl b/templates/CRM/Admin/Form/CKEditorConfig.tpl

similarity index 100%

rename from templates/CRM/Admin/Page/CKEditorConfig.tpl

rename to templates/CRM/Admin/Form/CKEditorConfig.tpl
author	Seamus Lee <seamuslee001@gmail.com>
	Tue, 12 May 2020 05:07:32 +0000 (15:07 +1000)
committer	Seamus Lee <seamuslee001@gmail.com>
	Wed, 19 Aug 2020 06:16:45 +0000 (16:16 +1000)
CRM/Admin/Form/CKEditorConfig.php	[moved from CRM/Admin/Page/CKEditorConfig.php with 95% similarity]	patch \| blob \| blame \| history
CRM/Core/Resources.php		patch \| blob \| blame \| history
CRM/Core/xml/Menu/Admin.xml		patch \| blob \| blame \| history
js/wysiwyg/admin.ckeditor-configurator.js		patch \| blob \| blame \| history
templates/CRM/Admin/Form/CKEditorConfig.tpl	[moved from templates/CRM/Admin/Page/CKEditorConfig.tpl with 100% similarity]	patch \| blob \| blame \| history