diff options
author | Evan Prodromou <evan@prodromou.name> | 2008-08-29 00:39:09 -0400 |
---|---|---|
committer | Evan Prodromou <evan@prodromou.name> | 2008-08-29 00:39:09 -0400 |
commit | 6afb7f576e013ea597686ac3aabe471f2dc70cd1 (patch) | |
tree | ff9b9363d719cb23804af457c274bd2d2c8a2313 /actions/profilesettings.php | |
parent | 9a65f45c4519074046a0f1628ce1da1e2e1fadb5 (diff) |
add csrf protection to profile settings
darcs-hash:20080829043909-84dde-c70a633c93ab89560bc300817bda66eebf6176cf.gz
Diffstat (limited to 'actions/profilesettings.php')
-rw-r--r-- | actions/profilesettings.php | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/actions/profilesettings.php b/actions/profilesettings.php index bc4fce50b..14c725ff9 100644 --- a/actions/profilesettings.php +++ b/actions/profilesettings.php @@ -37,6 +37,7 @@ class ProfilesettingsAction extends SettingsAction { 'id' => 'profilesettings', 'action' => common_local_url('profilesettings'))); + common_hidden('token', common_session_token()); # too much common patterns here... abstractable? common_input('nickname', _('Nickname'), ($this->arg('nickname')) ? $this->arg('nickname') : $profile->nickname, @@ -80,6 +81,14 @@ class ProfilesettingsAction extends SettingsAction { $language = $this->trimmed('language'); $timezone = $this->trimmed('timezone'); + # CSRF protection + + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } + # Some validation if (!Validate::string($nickname, array('min_length' => 1, @@ -147,9 +156,9 @@ class ProfilesettingsAction extends SettingsAction { } # XXX: XOR - + if ($user->autosubscribe ^ $autosubscribe) { - + $original = clone($user); $user->autosubscribe = $autosubscribe; @@ -162,7 +171,7 @@ class ProfilesettingsAction extends SettingsAction { return; } } - + $profile = $user->getProfile(); $orig_profile = clone($profile); |