fix csrf / spam bug

FriendsOfREDAXO · May 22, 2023 · 09acc09 · 09acc09
1 parent b6f4c47
commit 09acc09
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 10 deletions.
diff --git a/install.php b/install.php
@@ -93,10 +93,10 @@
         6);
     $d2u_multinewsletter_modules[] = new D2UModule('80-4',
         'MultiNewsletter YForm Anmeldung',
-        6);
+        7);
     $d2u_multinewsletter_modules[] = new D2UModule('80-5',
         'MultiNewsletter YForm Abmeldung',
-        3);
+        4);
 
     $d2u_module_manager = new D2UModuleManager($d2u_multinewsletter_modules, '', 'multinewsletter');
     $d2u_module_manager->autoupdate();

diff --git a/lib/module_manager.php b/lib/module_manager.php
@@ -24,10 +24,10 @@ public static function getD2UMultiNewsletterModules()
             6);
         $d2u_multinewsletter_modules[] = new D2UModule('80-4',
             'MultiNewsletter YForm Anmeldung',
-            6);
+            7);
         $d2u_multinewsletter_modules[] = new D2UModule('80-5',
             'MultiNewsletter YForm Abmeldung',
-            3);
+            4);
         return $d2u_multinewsletter_modules;
     }
 }
diff --git a/modules/80/4/output.php b/modules/80/4/output.php
@@ -117,11 +117,10 @@ function sendActivationMail($yform)
 
     $yform = new rex_yform();
     $yform->setFormData(trim($form_data));
-    $yform->setObjectparams('csrf_protection', false);
     $yform->setObjectparams('Error-occured', $addon->getConfig('lang_'. rex_clang::getCurrentId() .'_no_userdata', ''));
     $yform->setObjectparams('form_action', rex_getUrl(rex_article::getCurrentId(), rex_clang::getCurrentId()));
     $yform->setObjectparams('real_field_names', true);
-    $yform->setObjectparams('form_name', 'multinewsletter_module_80_4_'. random_int(1, 100));
+    $yform->setObjectparams('form_name', 'multinewsletter_module_80_4_'. $this->getCurrentSlice()->getId()); /** @phpstan-ignore-line */
 
     // action - showtext
     $yform->setActionField('showtext', [$addon->getConfig('lang_'. rex_clang::getCurrentId() .'_confirmation_sent', '')]);

diff --git a/modules/80/5/output.php b/modules/80/5/output.php
@@ -80,10 +80,9 @@ function unsubscribe($email)
 
         $yform = new rex_yform();
         $yform->setFormData(trim($form_data));
-        $yform->setObjectparams('csrf_protection', false);
         $yform->setObjectparams('Error-occured', $addon->getConfig('lang_'. rex_clang::getCurrentId() .'_no_userdata', ''));
         $yform->setObjectparams('form_action', rex_getUrl(rex_article::getCurrentId(), rex_clang::getCurrentId()));
-        $yform->setObjectparams('form_name', 'multinewsletter_module_80_5_'. random_int(1, 100));
+        $yform->setObjectparams('form_name', 'multinewsletter_module_80_5_'. $this->getCurrentSlice()->getId()); /** @phpstan-ignore-line */
         $yform->setObjectparams('real_field_names', true);
 
         echo $yform->getForm();

diff --git a/pages/help.changelog.php b/pages/help.changelog.php
@@ -1,9 +1,10 @@
 <fieldset>
 	<legend>MultiNewsletter Changelog</legend>
 
-	<p>3.5.4-DEV</p>
+	<p>3.5.4</p>
 	<ul>
-		<li>...</li>
+		<li>Modul 80-4 "MultiNewsletter YForm Anmeldung": Fehler im Spamschutz / CSRF Schutz behoben.</li>
+		<li>Modul 80-5 "MultiNewsletter YForm Abmeldung":  Fehler im Spamschutz / CSRF Schutz behoben.</li>
 	</ul>
 	<p>3.5.3</p>
 	<ul>