diff options
author | Zach Copley <zach@controlyourself.ca> | 2008-08-29 01:33:37 -0400 |
---|---|---|
committer | Zach Copley <zach@controlyourself.ca> | 2008-08-29 01:33:37 -0400 |
commit | a034e13bf03fe06cf5d2500bd29506c71c67b6bb (patch) | |
tree | b1fba5f4d4a3356f0ba099e5b2a16a9d91b632b2 | |
parent | 2dc50d7e3768548c78f095903388d53a5bee373f (diff) |
CSRF protection in emailsettings
darcs-hash:20080829053337-7b5ce-6d94638c57d185e5d44e02ad458593a3f4de36d9.gz
-rw-r--r-- | actions/emailsettings.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/actions/emailsettings.php b/actions/emailsettings.php index 5e2c06bbd..c93cbfae0 100644 --- a/actions/emailsettings.php +++ b/actions/emailsettings.php @@ -34,6 +34,7 @@ class EmailsettingsAction extends SettingsAction { 'id' => 'emailsettings', 'action' => common_local_url('emailsettings'))); + common_hidden('token', common_session_token()); common_element('h2', NULL, _('Address')); @@ -114,6 +115,13 @@ class EmailsettingsAction extends SettingsAction { function handle_post() { + # CSRF protection + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } + if ($this->arg('save')) { $this->save_preferences(); } else if ($this->arg('add')) { |