From b4695dfcdab328eab222d453cf988551adf1137f Mon Sep 17 00:00:00 2001
From: Yvan Marques <yvmarques@gmail.com>
Date: Mon, 31 Aug 2015 23:01:24 +0200
Subject: [PATCH] Patch security

---
 epsacrop.module | 21 ++++++++++++++++-----
 js/epsacrop.js  |  3 ++-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/epsacrop.module b/epsacrop.module
index a4c0ea4..8af6501 100644
--- a/epsacrop.module
+++ b/epsacrop.module
@@ -82,10 +82,10 @@ function epsacrop_menu() {
     'access callback' => '_epsacrop_access',
     'type' => MENU_CALLBACK,
   );
-  $items['crop/ajax/%/%'] = array(
+  $items['crop/ajax/%/%/%'] = array(
     'title' => 'Crop Dialog Ajax',
     'page callback' => 'epsacrop_ajax',
-    'page arguments' => array(2, 3),
+    'page arguments' => array(2, 3, 4),
     'access callback' => '_epsacrop_access',
     'type' => MENU_CALLBACK,
   );
@@ -117,7 +117,7 @@ function epsacrop_dialog($entity_name, $field_name, $bundle, $fid) {
   if (module_exists('media')) {
     $out .= '<p>For convenience, cropping applies to <strong>all</strong> current and future content which uses this image. (If the image is from the library, changing the cropping will affect all existing content which uses the image.)</p>';
   }
-  $out .='<div class="epsacrop-global">' . "\n";
+  $out .='<div class="epsacrop-global" data-token="' . drupal_get_token('epsacrop-put-' . $fid) . '">' . "\n";
   $out .='<div class="epsacrop-image-crop">' . "\n";
   $out .='<img id="epsacrop-target" />' . "\n";
   $out .='</div>' . "\n";
@@ -168,7 +168,12 @@ function epsacrop_dialog($entity_name, $field_name, $bundle, $fid) {
  * @param string $fid
  * @return void
  */
-function epsacrop_ajax($op, $fid) {
+function epsacrop_ajax($op, $fid, $token) {
+  if (!drupal_valid_token($token, 'epsacrop-' . $op . '-' . $fid)) {
+    drupal_access_denied();
+    drupal_exit();
+  }
+
   $return = NULL;
   switch ($op) {
     case 'get':
@@ -179,7 +184,13 @@ function epsacrop_ajax($op, $fid) {
     break;
     case 'put':
       if (isset($_POST) && (isset($_POST['coords']) && !empty($_POST['coords']))) {
-        $coords = $_POST['coords'];
+        // If the json_decode returns null that means we got an invalid JSON or it reachs the 
+        // recursion limit
+        if (($values = drupal_json_decode($_POST['coords'])) === NULL) {
+          drupal_access_denied();
+          drupal_exit();
+        }
+        $coords = drupal_json_encode($values);
         _epsacrop_save_coords($fid, $coords);
       }
     break;
diff --git a/js/epsacrop.js b/js/epsacrop.js
index 9a02c2e..df8a8f1 100644
--- a/js/epsacrop.js
+++ b/js/epsacrop.js
@@ -21,7 +21,8 @@
       }
 
       buttons[saveLabel] = function() {
-        $.post(Drupal.settings.basePath + pathPrefix + 'crop/ajax/put/' + delta, {'coords': JSON.stringify(Drupal.EPSACrop.presets)});
+        var token = $('.epsacrop-global').data('token');
+        $.post(Drupal.settings.basePath + pathPrefix + 'crop/ajax/put/' + delta + '/' + token, {'coords': JSON.stringify(Drupal.EPSACrop.presets)});
         var field = field_name.replace(/_/g, '-');
         var welem = $('div[id*="' + field + '"]').eq(0);
         if (welem.find('.warning').size() == 0) {
-- 
2.2.1