CSRF protection for subscription/unsubscription

author Evan Prodromou <evan@prodromou.name>

Fri, 29 Aug 2008 05:11:04 +0000 (01:11 -0400)

committer Evan Prodromou <evan@prodromou.name>

Fri, 29 Aug 2008 05:11:04 +0000 (01:11 -0400)
author Evan Prodromou <evan@prodromou.name>
Fri, 29 Aug 2008 05:11:04 +0000 (01:11 -0400)
committer Evan Prodromou <evan@prodromou.name>
Fri, 29 Aug 2008 05:11:04 +0000 (01:11 -0400)
diff --git a/actions/showstream.php b/actions/showstream.php

index 29ff58a59464e8cf6776f41836856c64490fe1c1..7b41b8514e7b810c6c2a56c73ffcedd03a031abd 100644 (file)
--- a/actions/showstream.php
+++ b/actions/showstream.php
@@ -179,6 +179,7 @@ class ShowstreamAction extends StreamAction {
         function show_subscribe_form($profile) {
                 common_element_start('form', array('id' => 'subscribe', 'method' => 'post',
                                                                                    'action' => common_local_url('subscribe')));
+               common_hidden('token', common_session_token());
                 common_element('input', array('id' => 'subscribeto',
                                                                           'name' => 'subscribeto',
                                                                           'type' => 'hidden',
@@ -200,6 +201,7 @@ class ShowstreamAction extends StreamAction {
         function show_unsubscribe_form($profile) {
                 common_element_start('form', array('id' => 'unsubscribe', 'method' => 'post',
                                                                                    'action' => common_local_url('unsubscribe')));
+               common_hidden('token', common_session_token());
                 common_element('input', array('id' => 'unsubscribeto',
                                                                           'name' => 'unsubscribeto',
                                                                           'type' => 'hidden',
diff --git a/actions/subscribe.php b/actions/subscribe.php

index 71452e46ccda236bc06058c4daaabf29b2ee34b0..8bb723799c3f37a311f84639c19ae5cf7b3910d7 100644 (file)
--- a/actions/subscribe.php
+++ b/actions/subscribe.php
@@ -36,6 +36,15 @@ class SubscribeAction extends Action {
                         return;
                 }
  
+               # CSRF protection
+
+               $token = $this->trimmed('token');
+               
+               if (!$token || $token != common_session_token()) {
+                       common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
+                       return;
+               }
+
                 $other_nickname = $this->arg('subscribeto');
  
                 $result=subs_subscribe_user($user, $other_nickname);
diff --git a/actions/unsubscribe.php b/actions/unsubscribe.php

index 5814c37bda179fb8ce757123cf64882073f82def..e0392413d92214b8411b99bc9c29142d9bfc11f3 100644 (file)
--- a/actions/unsubscribe.php
+++ b/actions/unsubscribe.php
@@ -33,6 +33,15 @@ class UnsubscribeAction extends Action {
                         return;
                 }
  
+               # CSRF protection
+
+               $token = $this->trimmed('token');
+               
+               if (!$token || $token != common_session_token()) {
+                       common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
+                       return;
+               }
+
                 $other_nickname = $this->arg('unsubscribeto');
                 $result=subs_unsubscribe_user($user,$other_nickname);
                 if($result!=true) {
author	Evan Prodromou <evan@prodromou.name>
	Fri, 29 Aug 2008 05:11:04 +0000 (01:11 -0400)
committer	Evan Prodromou <evan@prodromou.name>
	Fri, 29 Aug 2008 05:11:04 +0000 (01:11 -0400)
actions/showstream.php		patch \| blob \| history
actions/subscribe.php		patch \| blob \| history
actions/unsubscribe.php		patch \| blob \| history