csrf protection in userauthorization

darcs-hash:20080829052732-84dde-0ebb7e32236b480cc3aa2eb7a4bb2b41ff6177d6.gz
This commit is contained in:
Evan Prodromou 2008-08-29 01:27:32 -04:00
parent 9b741c4f9a
commit 63438008e0

View File

@ -28,6 +28,13 @@ class UserauthorizationAction extends Action {
parent::handle($args); parent::handle($args);
if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_SERVER['REQUEST_METHOD'] == 'POST') {
# CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {
$req = $this->get_stored_request();
$this->show_form(_('There was a problem with your session token. Try again, please.'), $req);
return;
}
# We've shown the form, now post user's choice # We've shown the form, now post user's choice
$this->send_authorization(); $this->send_authorization();
} else { } else {