// <080213 fix $_POST to postVar by shizuki>\r
//if ($_POST[targetthumb]) {//}\r
if (postVar('targetthumb')) {\r
+ // Needs a valid ticket\r
+ if (!$manager->checkTicket()) {\r
+ media_doError(_ERROR_BADTICKET);\r
+ }\r
// Check if the collection is valid.\r
if (!MEDIA::isValidCollection(postVar('currentCollection'))) media_doError(_ERROR_DISALLOWED);\r
// $mediapath = $DIR_MEDIA . $_POST[currentCollection] . "/";\r
$ok = 1;\r
}\r
}\r
-//TODO:allow only the allowed media files\r
if (eregi("\.php$", $newfilename)) {\r
$ok = 0;\r
}\r
// print"idxNext=$idxNext<BR />";\r
// print"idxEnd=$idxEnd<BR />";\r
// print"<BR />";\r
+\r
+ // Get ticket\r
+ $ticket=$manager->addTicketToUrl('');\r
+ $hscTicket=htmlspecialchars(preg_replace('/^.*=/','',$ticket));\r
for ($i=$idxNext;$i<$idxEnd;$i++) {\r
$filename = $DIR_MEDIA . $currentCollection . '/' . $contents[$i]->filename;\r
// if(!$msg1)$targetfile = $contents[$i]->filename;\r
echo <<<_FORMBLOCK_\r
<form method="post" action="media.php" style="margin:5px 0 2px; padding:0;">\r
<div>\r
+ <input type="hidden" name="ticket" value="{$hscTicket}" />\r
<input type="hidden" name="currentCollection" value="{$hscCCol}" />\r
<input type="hidden" name="offset" value="{$offset}" />\r
<input type="hidden" name="targetfile" value="{$hscTGTF}" />\r