From 0f20f9ca5d6b8e676a85acfbb074e9b28114875b Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Mon, 26 Nov 2018 15:17:53 +0100
Subject: [PATCH] =?UTF-8?q?:lock:=20N=C2=B01795=20prevent=20CSRF=20on=20da?=
 =?UTF-8?q?shboard=20import?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/utils.inc.php | 4 +++-
 js/dashboard.js           | 3 ++-
 pages/ajax.render.php     | 5 +++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/application/utils.inc.php b/application/utils.inc.php
index 050e279cd..0f43d5b76 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -1090,10 +1090,12 @@ class utils
 			$sDlgTitle = addslashes(Dict::S('UI:ImportDashboardTitle'));
 			$sDlgText = addslashes(Dict::S('UI:ImportDashboardText'));
 			$sCloseBtn = addslashes(Dict::S('UI:Button:Cancel'));
+				$sUploadDashboardTransactId = utils::GetNewTransactionId();
 			$aResult = array(
 				new SeparatorPopupMenuItem(),
 				new URLPopupMenuItem('UI:ExportDashboard', Dict::S('UI:ExportDashBoard'), utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php?operation=export_dashboard&id='.$sMenuId),
-				new JSPopupMenuItem('UI:ImportDashboard', Dict::S('UI:ImportDashBoard'), "UploadDashboard({dashboard_id: '$sMenuId', title: '$sDlgTitle', text: '$sDlgText', close_btn: '$sCloseBtn' })"),
+				new JSPopupMenuItem('UI:ImportDashboard', Dict::S('UI:ImportDashBoard'),
+					"UploadDashboard({dashboard_id: '$sMenuId', title: '$sDlgTitle', text: '$sDlgText', close_btn: '$sCloseBtn', transaction: '$sUploadDashboardTransactId' })"),
 			);
 			break;
 
diff --git a/js/dashboard.js b/js/dashboard.js
index 4f6db0371..f2e7d0cfa 100644
--- a/js/dashboard.js
+++ b/js/dashboard.js
@@ -366,6 +366,7 @@ $(function()
 		{
 			dashboard_id: '',
 			file_id: '',
+			transaction: '',
 			text: 'Select a dashboard file to import',
 			title: 'Dahsboard Import',
 			close_btn: 'Close',
@@ -383,7 +384,7 @@ $(function()
 				//me.onClose();
 			};
 			$('#'+this.options.file_id).fileupload({
-				url: me.options.submit_to+'&id='+me.options.dashboard_id,
+				url: me.options.submit_to+'&id='+me.options.dashboard_id+'&transaction_id='+me.options.transaction,
 		        dataType: 'json',
 				pasteZone: null, // Don't accept files via Chrome's copy/paste
 		        done: function (e, data) {
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index 5656fa895..ef4c5cf8a 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -1190,6 +1190,11 @@ EOF
 			break;
 
 		case 'import_dashboard':
+			$sTransactionId = utils::ReadParam('transaction_id', '', false, 'raw_data');
+			if (!utils::IsTransactionValid($sTransactionId, true))
+			{
+				throw new SecurityException('ajax.render.php import_dashboard : invalid transaction_id');
+			}
 			$sMenuId = utils::ReadParam('id', '', false, 'raw_data');
 			ApplicationMenu::LoadAdditionalMenus();
 			$index = ApplicationMenu::GetMenuIndexById($sMenuId);