csrf protection in userauthorization

darcs-hash:20080829052732-84dde-0ebb7e32236b480cc3aa2eb7a4bb2b41ff6177d6.gz

diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 8059c3106b8e4051ca5de01372cab3cbc57fc8b7..3d4661b25d2a375b1dab19bee04622e20c27c131 100644 (file)
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -23,11 +23,18 @@ require_once(INSTALLDIR.'/lib/omb.php');
 define('TIMESTAMP_THRESHOLD', 300);
 
 class UserauthorizationAction extends Action {
-       
+
        function handle($args) {
                parent::handle($args);
 
                if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+                       # CSRF protection
+                       $token = $this->trimmed('token');
+                       if (!$token || $token != common_session_token()) {
+                               $req = $this->get_stored_request();
+                               $this->show_form(_('There was a problem with your session token. Try again, please.'), $req);
+                               return;
+                       }
                        # We've shown the form, now post user's choice
                        $this->send_authorization();
                } else {