Added session token checking.

author Zach Copley <zach@status.net>

Tue, 17 Nov 2009 02:12:39 +0000 (18:12 -0800)

committer Zach Copley <zach@status.net>

Mon, 25 Jan 2010 00:36:02 +0000 (16:36 -0800)
author Zach Copley <zach@status.net>
Tue, 17 Nov 2009 02:12:39 +0000 (18:12 -0800)
committer Zach Copley <zach@status.net>
Mon, 25 Jan 2010 00:36:02 +0000 (16:36 -0800)
diff --git a/actions/newapplication.php b/actions/newapplication.php

index 9d8635270a4f46aa36f4ae26f3d0991bc1baad26..ec0f2e7af28aeb17ae52dd3e920ff8cf903d760d 100644 (file)
--- a/actions/newapplication.php
+++ b/actions/newapplication.php
@@ -84,6 +84,13 @@ class NewApplicationAction extends OwnerDesignAction
  
          if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  
+            // CSRF protection
+            $token = $this->trimmed('token');
+            if (!$token || $token != common_session_token()) {
+                $this->clientError(_('There was a problem with your session token.'));
+                return;
+            }
+
              $cur = common_current_user();
  
              if ($this->arg('cancel')) {
author	Zach Copley <zach@status.net>
	Tue, 17 Nov 2009 02:12:39 +0000 (18:12 -0800)
committer	Zach Copley <zach@status.net>
	Mon, 25 Jan 2010 00:36:02 +0000 (16:36 -0800)