summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEvan Prodromou <evan@prodromou.name>2008-08-29 01:27:32 -0400
committerEvan Prodromou <evan@prodromou.name>2008-08-29 01:27:32 -0400
commit63438008e021638004a61e76a7d6627fc2f49199 (patch)
tree0dbac66281f3c3d2f626a1ca7c67e658c4288935
parent9b741c4f9a211906f18b8aee7fe7cee58f911403 (diff)
csrf protection in userauthorization
darcs-hash:20080829052732-84dde-0ebb7e32236b480cc3aa2eb7a4bb2b41ff6177d6.gz
-rw-r--r--actions/userauthorization.php9
1 files changed, 8 insertions, 1 deletions
diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 8059c3106..3d4661b25 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -23,11 +23,18 @@ require_once(INSTALLDIR.'/lib/omb.php');
define('TIMESTAMP_THRESHOLD', 300);
class UserauthorizationAction extends Action {
-
+
function handle($args) {
parent::handle($args);
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+ # CSRF protection
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $req = $this->get_stored_request();
+ $this->show_form(_('There was a problem with your session token. Try again, please.'), $req);
+ return;
+ }
# We've shown the form, now post user's choice
$this->send_authorization();
} else {