CSRF protection in remotesubscribe
darcs-hash:20080829054038-7b5ce-d0503a8eb7f89a9d2de4aadd4550f4342b943b09.gz
This commit is contained in:
parent
a034e13bf0
commit
9fb08ec45e
@ -33,6 +33,14 @@ class RemotesubscribeAction extends Action {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||||||
|
|
||||||
|
# CSRF protection
|
||||||
|
$token = $this->trimmed('token');
|
||||||
|
if (!$token || $token != common_session_token()) {
|
||||||
|
$this->show_form(_('There was a problem with your session token. Try again, please.'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$this->remote_subscription();
|
$this->remote_subscription();
|
||||||
} else {
|
} else {
|
||||||
$this->show_form();
|
$this->show_form();
|
||||||
@ -68,6 +76,7 @@ class RemotesubscribeAction extends Action {
|
|||||||
# button on profile page
|
# button on profile page
|
||||||
common_element_start('form', array('id' => 'remsub', 'method' => 'post',
|
common_element_start('form', array('id' => 'remsub', 'method' => 'post',
|
||||||
'action' => common_local_url('remotesubscribe')));
|
'action' => common_local_url('remotesubscribe')));
|
||||||
|
common_hidden('token', common_session_token());
|
||||||
common_input('nickname', _('User nickname'), $nickname,
|
common_input('nickname', _('User nickname'), $nickname,
|
||||||
_('Nickname of the user you want to follow'));
|
_('Nickname of the user you want to follow'));
|
||||||
common_input('profile_url', _('Profile URL'), $profile,
|
common_input('profile_url', _('Profile URL'), $profile,
|
||||||
|
Loading…
Reference in New Issue
Block a user