summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZach Copley <zach@controlyourself.ca>2008-08-29 01:40:38 -0400
committerZach Copley <zach@controlyourself.ca>2008-08-29 01:40:38 -0400
commit9fb08ec45e79f9cc782154ac8b8995e022e777e6 (patch)
tree2292b4c112d6a1c63d836c6db706d25e30c6863f
parenta034e13bf03fe06cf5d2500bd29506c71c67b6bb (diff)
CSRF protection in remotesubscribe
darcs-hash:20080829054038-7b5ce-d0503a8eb7f89a9d2de4aadd4550f4342b943b09.gz
-rw-r--r--actions/remotesubscribe.php9
1 files changed, 9 insertions, 0 deletions
diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php
index 407c5babb..c2c00ab61 100644
--- a/actions/remotesubscribe.php
+++ b/actions/remotesubscribe.php
@@ -33,6 +33,14 @@ class RemotesubscribeAction extends Action {
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+
+ # CSRF protection
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $this->show_form(_('There was a problem with your session token. Try again, please.'));
+ return;
+ }
+
$this->remote_subscription();
} else {
$this->show_form();
@@ -68,6 +76,7 @@ class RemotesubscribeAction extends Action {
# button on profile page
common_element_start('form', array('id' => 'remsub', 'method' => 'post',
'action' => common_local_url('remotesubscribe')));
+ common_hidden('token', common_session_token());
common_input('nickname', _('User nickname'), $nickname,
_('Nickname of the user you want to follow'));
common_input('profile_url', _('Profile URL'), $profile,