Profile block base style

[quix0rs-gnu-social.git] / actions / login.php

diff --git a/actions/login.php b/actions/login.php
index a60f3c65ce929675d0a965e82b24dd392a609e85..ccec9cf8a787818e20cb518f64b44bfd31b30336 100644 (file)
--- a/actions/login.php
+++ b/actions/login.php
@@ -21,6 +21,10 @@ if (!defined('LACONICA')) { exit(1); }
 
 class LoginAction extends Action {
 
+       function is_readonly() {
+               return true;
+       }
+
        function handle($args) {
                parent::handle($args);
                if (common_is_real_login()) {
@@ -33,9 +37,16 @@ class LoginAction extends Action {
        }
 
        function check_login() {
-               # XXX: form token in $_SESSION to prevent XSS
                # XXX: login throttle
-               $nickname = $this->arg('nickname');
+
+               # CSRF protection - token set in common_notice_form()
+               $token = $this->trimmed('token');
+               if (!$token || $token != common_session_token()) {
+                       $this->client_error(_('There was a problem with your session token. Try again, please.'));
+                       return;
+               }
+
+               $nickname = common_canonical_nickname($this->trimmed('nickname'));
                $password = $this->arg('password');
                if (common_check_user($nickname, $password)) {
                        # success!
@@ -100,6 +111,7 @@ class LoginAction extends Action {
                                _('Automatically login in the future; ' .
                                   'not for shared computers!'));
                common_submit('submit', _('Login'));
+               common_hidden('token', common_session_token());
                common_element_end('form');
                common_element_start('p');
                common_element('a', array('href' => common_local_url('recoverpassword')),
@@ -138,4 +150,3 @@ class LoginAction extends Action {
                }
        }
 }
-#
\ No newline at end of file