diff options
author | Evan Prodromou <evan@prodromou.name> | 2008-08-28 23:48:54 -0400 |
---|---|---|
committer | Evan Prodromou <evan@prodromou.name> | 2008-08-28 23:48:54 -0400 |
commit | d6dd35a66a394a830eb171ab6620da808667c772 (patch) | |
tree | 2fda03293100019c38eb2054981bdcb484e6ac93 /actions/finishopenidlogin.php | |
parent | 93e67c713364907cea9d0c4af0e023f163584b6e (diff) |
add a token for CSRF avoidance
darcs-hash:20080829034854-84dde-a636b446dc254aaa77ac65f63be01e49c192bf32.gz
Diffstat (limited to 'actions/finishopenidlogin.php')
-rw-r--r-- | actions/finishopenidlogin.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/actions/finishopenidlogin.php b/actions/finishopenidlogin.php index 827a4e9c7..f09027e9e 100644 --- a/actions/finishopenidlogin.php +++ b/actions/finishopenidlogin.php @@ -28,6 +28,11 @@ class FinishopenidloginAction extends Action { if (common_logged_in()) { common_user_error(_('Already logged in.')); } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } if ($this->arg('create')) { if (!$this->boolean('license')) { $this->show_form(_('You can\'t register if you don\'t agree to the license.'), @@ -64,6 +69,7 @@ class FinishopenidloginAction extends Action { common_element_start('form', array('method' => 'post', 'id' => 'account_connect', 'action' => common_local_url('finishopenidlogin'))); + common_hidden('token', common_session_token()); common_element('h2', NULL, _('Create new account')); common_element('p', NULL, |