X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Favatar.php;h=9f397e93c3e0148248955ae8746308a489631f02;hb=bf14709fe2ed18f5a2641f841cb000a4856290fd;hp=1029abd1e6286a4fba5f2da02c7a8404661cacde;hpb=87b494f1ebbe7640d194ef322af12fdf378295df;p=quix0rs-gnu-social.git

diff --git a/actions/avatar.php b/actions/avatar.php
index 1029abd1e6..9f397e93c3 100644
--- a/actions/avatar.php
+++ b/actions/avatar.php
@@ -24,12 +24,7 @@ require_once(INSTALLDIR.'/lib/settingsaction.php');
 class AvatarAction extends SettingsAction {
 
     function get_instructions() {
-		return _('Upload a new "avatar" (user image) here. ' .
-				  'You can\'t edit the picture after you upload it, so ' .
-				  'make sure it\'s more or less square. ' .
-				  'It must be under the site license, also. ' .
-				  'Use a picture that belongs to you and that you ' .
-				  'want to share.');
+		return _('Upload a new "avatar" (user image) here. You can\'t edit the picture after you upload it, so make sure it\'s more or less square. It must be under the site license, also. Use a picture that belongs to you and that you want to share.');
 	}
 
 	function show_form($msg=NULL, $success=false) {
@@ -63,6 +58,7 @@ class AvatarAction extends SettingsAction {
 										   'id' => 'avatar',
 										   'action' =>
 										   common_local_url('avatar')));
+		common_hidden('token', common_session_token());
 		common_element('input', array('name' => 'MAX_FILE_SIZE',
 									  'type' => 'hidden',
 									  'id' => 'MAX_FILE_SIZE',
@@ -77,6 +73,14 @@ class AvatarAction extends SettingsAction {
 
 	function handle_post() {
 
+		# CSRF protection
+
+		$token = $this->trimmed('token');
+		if (!$token || $token != common_session_token()) {
+			$this->show_form(_('There was a problem with your session token. Try again, please.'));
+			return;
+		}
+
 		switch ($_FILES['avatarfile']['error']) {
 		 case UPLOAD_ERR_OK: # success, jump out
 			break;