diff options
| author | Zach Copley <zach@controlyourself.ca> | 2008-08-29 01:40:38 -0400 |
|---|---|---|
| committer | Zach Copley <zach@controlyourself.ca> | 2008-08-29 01:40:38 -0400 |
| commit | 9fb08ec45e79f9cc782154ac8b8995e022e777e6 (patch) | |
| tree | 2292b4c112d6a1c63d836c6db706d25e30c6863f /actions | |
| parent | a034e13bf03fe06cf5d2500bd29506c71c67b6bb (diff) | |
CSRF protection in remotesubscribe
darcs-hash:20080829054038-7b5ce-d0503a8eb7f89a9d2de4aadd4550f4342b943b09.gz
Diffstat (limited to 'actions')
| -rw-r--r-- | actions/remotesubscribe.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php index 407c5babb..c2c00ab61 100644 --- a/actions/remotesubscribe.php +++ b/actions/remotesubscribe.php @@ -33,6 +33,14 @@ class RemotesubscribeAction extends Action { } if ($_SERVER['REQUEST_METHOD'] == 'POST') { + + # CSRF protection + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } + $this->remote_subscription(); } else { $this->show_form(); @@ -68,6 +76,7 @@ class RemotesubscribeAction extends Action { # button on profile page common_element_start('form', array('id' => 'remsub', 'method' => 'post', 'action' => common_local_url('remotesubscribe'))); + common_hidden('token', common_session_token()); common_input('nickname', _('User nickname'), $nickname, _('Nickname of the user you want to follow')); common_input('profile_url', _('Profile URL'), $profile, |