CSRF protection in remotesubscribe

darcs-hash:20080829054038-7b5ce-d0503a8eb7f89a9d2de4aadd4550f4342b943b09.gz
This commit is contained in:
Zach Copley 2008-08-29 01:40:38 -04:00
parent a034e13bf0
commit 9fb08ec45e

View File

@ -33,6 +33,14 @@ class RemotesubscribeAction extends Action {
} }
if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_SERVER['REQUEST_METHOD'] == 'POST') {
# CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {
$this->show_form(_('There was a problem with your session token. Try again, please.'));
return;
}
$this->remote_subscription(); $this->remote_subscription();
} else { } else {
$this->show_form(); $this->show_form();
@ -68,6 +76,7 @@ class RemotesubscribeAction extends Action {
# button on profile page # button on profile page
common_element_start('form', array('id' => 'remsub', 'method' => 'post', common_element_start('form', array('id' => 'remsub', 'method' => 'post',
'action' => common_local_url('remotesubscribe'))); 'action' => common_local_url('remotesubscribe')));
common_hidden('token', common_session_token());
common_input('nickname', _('User nickname'), $nickname, common_input('nickname', _('User nickname'), $nickname,
_('Nickname of the user you want to follow')); _('Nickname of the user you want to follow'));
common_input('profile_url', _('Profile URL'), $profile, common_input('profile_url', _('Profile URL'), $profile,