diff --git a/scormcloud/admin/file_upload_parser.php b/scormcloud/admin/file_upload_parser.php index 956a017..4524c02 100644 --- a/scormcloud/admin/file_upload_parser.php +++ b/scormcloud/admin/file_upload_parser.php @@ -21,6 +21,15 @@ mkdir($uploadDirectoryName, 0755); } +$token = $_POST["token"]; +if (!$token || $token !== $_SESSION['token']) { + // show an error message + echo '

Error: invalid form submission

'; + // return 405 http status code + header($_SERVER['SERVER_PROTOCOL'] . ' 405 Method Not Allowed'); + exit; +} + $fileName = $_FILES["file1"]["name"]; // The file name $fileTmpLoc = $_FILES["file1"]["tmp_name"]; // File in the PHP tmp folder $fileType = $_FILES["file1"]["type"]; // The type of file it is diff --git a/scormcloud/admin/uploadpif.php b/scormcloud/admin/uploadpif.php index 34c4fb2..24b71d4 100644 --- a/scormcloud/admin/uploadpif.php +++ b/scormcloud/admin/uploadpif.php @@ -8,8 +8,6 @@ } require_once ABSPATH . 'wp-admin/includes/admin.php'; -// define( 'SCORMCLOUD_BASE', '../' ); - require_once SCORMCLOUD_BASE . 'scormcloudplugin.php'; $scorm_service = ScormCloudPlugin::get_cloud_service(); @@ -24,6 +22,8 @@ $basepath = $protocol . '://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], 'scormcloud')) . 'scormcloud/'; $import_callback = $basepath . '/importcallback.php'; +$_SESSION['token'] = bin2hex(random_bytes(35)); + ?>