diff options
| author | zach <zach@controlyourself.ca> | 2008-11-10 21:23:30 -0500 |
|---|---|---|
| committer | zach <zach@controlyourself.ca> | 2008-11-10 21:23:30 -0500 |
| commit | 1e8d26baecad6ca1088ea7815fe2615fb520a10e (patch) | |
| tree | 6a43fb0cb1fdd58bb59c352d79d643ae1b56a8ce /actions/login.php | |
| parent | aac0605bd1baf1462a20646c01edc19557a33b93 (diff) | |
CSRF Protection for login and new notice. Ticket #503
darcs-hash:20081111022330-462f3-810b2a86e6e209330ade628fc0e97df96151d496.gz
Diffstat (limited to 'actions/login.php')
| -rw-r--r-- | actions/login.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/actions/login.php b/actions/login.php index f183c1cd4..ccec9cf8a 100644 --- a/actions/login.php +++ b/actions/login.php @@ -37,8 +37,15 @@ class LoginAction extends Action { } function check_login() { - # XXX: form token in $_SESSION to prevent XSS # XXX: login throttle + + # CSRF protection - token set in common_notice_form() + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->client_error(_('There was a problem with your session token. Try again, please.')); + return; + } + $nickname = common_canonical_nickname($this->trimmed('nickname')); $password = $this->arg('password'); if (common_check_user($nickname, $password)) { @@ -104,6 +111,7 @@ class LoginAction extends Action { _('Automatically login in the future; ' . 'not for shared computers!')); common_submit('submit', _('Login')); + common_hidden('token', common_session_token()); common_element_end('form'); common_element_start('p'); common_element('a', array('href' => common_local_url('recoverpassword')), |