From: Evan Prodromou Date: Fri, 29 Aug 2008 03:48:54 +0000 (-0400) Subject: add a token for CSRF avoidance X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=d6dd35a66a394a830eb171ab6620da808667c772;p=quix0rs-gnu-social.git add a token for CSRF avoidance darcs-hash:20080829034854-84dde-a636b446dc254aaa77ac65f63be01e49c192bf32.gz --- diff --git a/actions/finishopenidlogin.php b/actions/finishopenidlogin.php index 827a4e9c7a..f09027e9e0 100644 --- a/actions/finishopenidlogin.php +++ b/actions/finishopenidlogin.php @@ -28,6 +28,11 @@ class FinishopenidloginAction extends Action { if (common_logged_in()) { common_user_error(_('Already logged in.')); } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } if ($this->arg('create')) { if (!$this->boolean('license')) { $this->show_form(_('You can\'t register if you don\'t agree to the license.'), @@ -64,6 +69,7 @@ class FinishopenidloginAction extends Action { common_element_start('form', array('method' => 'post', 'id' => 'account_connect', 'action' => common_local_url('finishopenidlogin'))); + common_hidden('token', common_session_token()); common_element('h2', NULL, _('Create new account')); common_element('p', NULL,