CSRF protection for subscription/unsubscription

[quix0rs-gnu-social.git] / actions / twitapiaccount.php

diff --git a/actions/twitapiaccount.php b/actions/twitapiaccount.php
index 716ddd1543a3d3c22b7fbb8c3bc95131a68ef121..3a9b8ba3e2f60db4abc96211c6b6821dc3233a20 100644 (file)
--- a/actions/twitapiaccount.php
+++ b/actions/twitapiaccount.php
@@ -61,6 +61,11 @@ class TwitapiaccountAction extends TwitterapiAction {
        function update_location($args, $apidata) {
                parent::handle($args);
 
+               if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+                       $this->client_error(_('This method requires a POST.'), 400, $apidata['content-type']);
+                       exit();
+               }
+
                $location = trim($this->arg('location'));
 
                if (!is_null($location) && strlen($location) > 255) {