merge from 1.5.3.2 (r12460 ~ r12482)

git-svn-id: http://xe-core.googlecode.com/svn/branches/luminous@12491 201d5d3c-b55e-5fd7-737f-ddc643e51545

config/func.inc.php

@@ -1131,6 +1131,24 @@
 		}
 	}
 
+	function checkCSRF()
+	{
+		if($_SERVER['REQUEST_METHOD'] != 'POST')
+		{
+			return false;
+		}
+
+		$defaultUrl = Context::getDefaultUrl();
+		$referer = parse_url($_SERVER["HTTP_REFERER"]);
+
+		if(!strstr($defaultUrl, $referer['host']))
+		{
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Print raw html header
 	 *

modules/document/document.controller.php

@@ -175,6 +175,11 @@ class documentController extends document {
 	 * @return object
 	 */
 	function insertDocument($obj, $manual_inserted = false, $isRestore = false, $isLatest = true) {
+		if(!checkCSRF())
+		{
+			return new Object(-1, 'msg_invalid_request');
+		}
+
 		// begin transaction
 		$oDB = &DB::getInstance();
 		$oDB->begin();
@@ -309,6 +314,11 @@ class documentController extends document {
 	 * @return object
 	 */
 	function updateDocument($source_obj, $obj) {
+		if(!checkCSRF())
+		{
+			return new Object(-1, 'msg_invalid_request');
+		}
+
 		if(!$source_obj->document_srl || !$obj->document_srl) return new Object(-1,'msg_invalied_request');
 		if(!$obj->status && $obj->is_secret == 'Y') $obj->status = 'SECRET';
 		if(!$obj->status) $obj->status = 'PUBLIC';
@@ -1865,6 +1875,11 @@ class documentController extends document {
 		set_time_limit(0);
 		if(!Context::get('is_logged')) return new Object(-1,'msg_not_permitted');
 
+		if(!checkCSRF())
+		{
+			return new Object(-1, 'msg_invalid_request');
+		}
+
 		$type = Context::get('type');
 		$target_module = Context::get('target_module');
 		$module_srl = Context::get('module_srl');