summaryrefslogtreecommitdiff
path: root/actions
diff options
context:
space:
mode:
authorZach Copley <zach@controlyourself.ca>2008-08-28 23:57:07 -0400
committerZach Copley <zach@controlyourself.ca>2008-08-28 23:57:07 -0400
commit2e239e3fbb4b8b8bc837f32ee750c9cbf266f246 (patch)
tree3cabc513f91e06b3954baf175394b7e372db9e5d /actions
parent6be7cbc5cd4f08dbd86a056f1e7f31ab565237bd (diff)
CSRF protection in imsettings.php
darcs-hash:20080829035707-7b5ce-69a9ff98390ff8b9671ede948d78fdb37371aac6.gz
Diffstat (limited to 'actions')
-rw-r--r--actions/imsettings.php8
1 files changed, 8 insertions, 0 deletions
diff --git a/actions/imsettings.php b/actions/imsettings.php
index 034f6dc2b..0aa7631dc 100644
--- a/actions/imsettings.php
+++ b/actions/imsettings.php
@@ -35,6 +35,7 @@ class ImsettingsAction extends SettingsAction {
'id' => 'imsettings',
'action' =>
common_local_url('imsettings')));
+ common_hidden('token', common_session_token());
common_element('h2', NULL, _('Address'));
@@ -98,6 +99,13 @@ class ImsettingsAction extends SettingsAction {
function handle_post() {
+ # CSRF protection
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $this->show_form(_('There was a problem with your session token. Try again, please.'));
+ return;
+ }
+
if ($this->arg('save')) {
$this->save_preferences();
} else if ($this->arg('add')) {