diff --git a/apps/contacts/ajax/activation.php b/apps/contacts/ajax/activation.php
index 388a3b5438c6d35fc8e8148bddd37764f62a01df..74cb738ab8fccb39fce648f033d6692151442475 100644
--- a/apps/contacts/ajax/activation.php
+++ b/apps/contacts/ajax/activation.php
@@ -10,6 +10,7 @@
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
$bookid = $_POST['bookid'];
$book = OC_Contacts_App::getAddressbook($bookid);// is owner access check
diff --git a/apps/contacts/ajax/addcontact.php b/apps/contacts/ajax/addcontact.php
index af9b2bbcc0e4ccc810432a679938e51db30ccaf2..e45072c954202da6f78a2d97bd48f3e28abfc948 100644
--- a/apps/contacts/ajax/addcontact.php
+++ b/apps/contacts/ajax/addcontact.php
@@ -23,6 +23,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
$aid = isset($_POST['aid'])?$_POST['aid']:null;
if(!$aid) {
diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php
index 94e09bac19098b9d35094d202eb5ef32311c6a5f..c1fca9abea89dc4fa2acd8225c358eae091cd138 100644
--- a/apps/contacts/ajax/addproperty.php
+++ b/apps/contacts/ajax/addproperty.php
@@ -23,6 +23,16 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+foreach($_SERVER as $key=>$value) {
+ OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_POST as $key=>$value) {
+ OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+ OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+OCP\JSON::callCheck();
function bailOut($msg) {
OCP\JSON::error(array('data' => array('message' => $msg)));
diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php
index af7c19eef519f2aed3300022fdf351c43c204fe6..616766bb1a0c18c02d09da08606e9da954414168 100644
--- a/apps/contacts/ajax/createaddressbook.php
+++ b/apps/contacts/ajax/createaddressbook.php
@@ -11,6 +11,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
$userid = OCP\USER::getUser();
$name = trim(strip_tags($_POST['name']));
diff --git a/apps/contacts/ajax/cropphoto.php b/apps/contacts/ajax/cropphoto.php
index caba7c8c4efee77dda5c3eb3ace10003286e92f7..eb9f1fcdb5d73b7b7799a74b9c4d61e5835f9747 100644
--- a/apps/contacts/ajax/cropphoto.php
+++ b/apps/contacts/ajax/cropphoto.php
@@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
$tmpkey = $_GET['tmpkey'];
+$requesttoken = $_GET['requesttoken'];
$id = $_GET['id'];
$tmpl = new OCP\Template("contacts", "part.cropphoto");
$tmpl->assign('tmpkey', $tmpkey);
$tmpl->assign('id', $id);
+$tmpl->assign('requesttoken', $requesttoken);
$page = $tmpl->fetchPage();
OCP\JSON::success(array('data' => array( 'page' => $page )));
diff --git a/apps/contacts/ajax/deletebook.php b/apps/contacts/ajax/deletebook.php
index fe582daa00f2fb9ebe7861f8cc5dc640a0cf5ce5..1b86ecf223e076f840890f4bb57f5ca9a3fe3e70 100644
--- a/apps/contacts/ajax/deletebook.php
+++ b/apps/contacts/ajax/deletebook.php
@@ -23,6 +23,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
//$id = $_GET['id'];
$id = $_POST['id'];
diff --git a/apps/contacts/ajax/deletecard.php b/apps/contacts/ajax/deletecard.php
index e6d0405a240dcedee36dbbd304a66a1082c3c9e2..2a6bd277d192202e9adb75f606a1803476c82674 100644
--- a/apps/contacts/ajax/deletecard.php
+++ b/apps/contacts/ajax/deletecard.php
@@ -28,6 +28,17 @@ function bailOut($msg) {
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
+// foreach($_SERVER as $key=>$value) {
+// OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG);
+// }
+foreach($_POST as $key=>$value) {
+ OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+ OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
$id = isset($_POST['id'])?$_POST['id']:null;
if(!$id) {
diff --git a/apps/contacts/ajax/deleteproperty.php b/apps/contacts/ajax/deleteproperty.php
index e6c2bd9f803f6508438d8e3e54cc32f88f850503..55f7e323083dd19e9e9bb9c2809480482612fd1d 100644
--- a/apps/contacts/ajax/deleteproperty.php
+++ b/apps/contacts/ajax/deleteproperty.php
@@ -23,6 +23,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
$id = $_POST['id'];
$checksum = $_POST['checksum'];
diff --git a/apps/contacts/ajax/savecrop.php b/apps/contacts/ajax/savecrop.php
index b3aab6a88101a3f705047e12e0c72786201fb543..6faf6a173d5df798f01b96f470536bf8ca648f52 100644
--- a/apps/contacts/ajax/savecrop.php
+++ b/apps/contacts/ajax/savecrop.php
@@ -22,6 +22,7 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
// Firefox and Konqueror tries to download application/json for me. --Arthur
OCP\JSON::setContentTypeHeader('text/plain');
diff --git a/apps/contacts/ajax/saveproperty.php b/apps/contacts/ajax/saveproperty.php
index d8400734710eac4eb3f88435e8a29b7be0acbc2d..c779c4961160dfb914787cf1ff094f06fedff171 100644
--- a/apps/contacts/ajax/saveproperty.php
+++ b/apps/contacts/ajax/saveproperty.php
@@ -20,10 +20,6 @@
*
*/
-// Check if we are a user
-OCP\JSON::checkLoggedIn();
-OCP\JSON::checkAppEnabled('contacts');
-
function bailOut($msg) {
OCP\JSON::error(array('data' => array('message' => $msg)));
OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
@@ -33,6 +29,21 @@ function debug($msg) {
OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
}
+// Check if we are a user
+OCP\JSON::checkLoggedIn();
+OCP\JSON::checkAppEnabled('contacts');
+
+foreach($_SERVER as $key=>$value) {
+ debug('_SERVER: '.$key.'=>'.print_r($value, true));
+}
+foreach($_POST as $key=>$value) {
+ debug('_POST: '.$key.'=>'.print_r($value, true));
+}
+foreach($_GET as $key=>$value) {
+ debug('_GET: '.$key.'=>'.print_r($value, true));
+}
+OCP\JSON::callCheck();
+
$id = isset($_POST['id'])?$_POST['id']:null;
$name = isset($_POST['name'])?$_POST['name']:null;
$value = isset($_POST['value'])?$_POST['value']:null;
diff --git a/apps/contacts/ajax/uploadphoto.php b/apps/contacts/ajax/uploadphoto.php
index 32abc6c28599003f6efde575c11480cf06e3f3ce..889de6a1f8b3e26af6913250f2ad23b50e332f5d 100644
--- a/apps/contacts/ajax/uploadphoto.php
+++ b/apps/contacts/ajax/uploadphoto.php
@@ -23,6 +23,8 @@
// Check if we are a user
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
// Firefox and Konqueror tries to download application/json for me. --Arthur
OCP\JSON::setContentTypeHeader('text/plain');
function bailOut($msg) {
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index 6b83504c9c4bd2e2d53037327fcb3be1194d21e8..45509a7f9db475698b771e53c3bb7642fe7fe744 100644
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -622,7 +622,7 @@ Contacts={
q = q + '&id=' + this.id + '&name=' + name;
if(checksum != undefined && checksum != '') { // save
q = q + '&checksum=' + checksum;
- //console.log('Saving: ' + q);
+ console.log('Saving: ' + q);
$(obj).attr('disabled', 'disabled');
$.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){
if(jsondata.status == 'success'){
@@ -640,7 +640,7 @@ Contacts={
}
},'json');
} else { // add
- //console.log('Adding: ' + q);
+ console.log('Adding: ' + q);
$(obj).attr('disabled', 'disabled');
$.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){
if(jsondata.status == 'success'){
diff --git a/apps/contacts/templates/part.contact.php b/apps/contacts/templates/part.contact.php
index c1ba1ccdc210e8fbd185c2145710b8fceca876b0..ca682baaf8027eae01d8840da4683cad8bed0a10 100644
--- a/apps/contacts/templates/part.contact.php
+++ b/apps/contacts/templates/part.contact.php
@@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : '';
?>
<div id="card">
<form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target">
+ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
@@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : '';
<div id="contact_identity" class="contactsection">
<form method="post">
<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
+ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
<fieldset id="ident" class="contactpart">
<span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span>
<span id="name" class="propertycontainer" data-element="FN">
diff --git a/apps/contacts/templates/part.cropphoto.php b/apps/contacts/templates/part.cropphoto.php
index d7f0efc57d7c1d962592b5443f39c3884016275b..1e025ef4e0cf35b9322b88b847d5a6f1c8b2bca3 100644
--- a/apps/contacts/templates/part.cropphoto.php
+++ b/apps/contacts/templates/part.cropphoto.php
@@ -1,6 +1,7 @@
<?php
$id = $_['id'];
$tmpkey = $_['tmpkey'];
+$csrf_token = $_GET['csrf_token'];
OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG);
?>
<script language="Javascript">
@@ -48,6 +49,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey,
action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>">
<input type="hidden" id="id" name="id" value="<?php echo $id; ?>" />
+ <input type="hidden" name="requesttoken" value="<?php echo $csrf_token; ?>">
<input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" />
<fieldset id="coords">
<input type="hidden" id="x1" name="x1" value="" />