summaryrefslogtreecommitdiff
path: root/web/lib
diff options
context:
space:
mode:
Diffstat (limited to 'web/lib')
-rw-r--r--web/lib/acctfuncs.inc.php1
-rw-r--r--web/lib/aur.inc.php10
2 files changed, 11 insertions, 0 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 9bd6e51..51078b8 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -33,6 +33,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<input type='hidden' name='Action' value='".$A."' />\n";
if ($UID) {
print "<input type='hidden' name='ID' value='".$UID."' />\n";
+ print "<input type='hidden' name='token' value='".htmlspecialchars($_COOKIE['AURSID'])."' />\n";
}
print "</fieldset>";
print "<table border='0' cellpadding='0' cellspacing='0' width='80%' style=\"margin:0 auto;\">\n";
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 6bc36ac..8b9f31e 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -77,6 +77,16 @@ function check_sid($dbh=NULL) {
return;
}
+# Verify the supplied token matches the expected token for POST forms
+#
+function check_token() {
+ if (isset($_POST['token'])) {
+ return ($_POST['token'] == $_COOKIE['AURSID']);
+ } else {
+ return false;
+ }
+}
+
# verify that an email address looks like it is legitimate
#
function valid_email($addy) {