From 9fb08ec45e79f9cc782154ac8b8995e022e777e6 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Fri, 29 Aug 2008 01:40:38 -0400 Subject: [PATCH] CSRF protection in remotesubscribe darcs-hash:20080829054038-7b5ce-d0503a8eb7f89a9d2de4aadd4550f4342b943b09.gz --- actions/remotesubscribe.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php index 407c5babbe..c2c00ab619 100644 --- a/actions/remotesubscribe.php +++ b/actions/remotesubscribe.php @@ -33,6 +33,14 @@ class RemotesubscribeAction extends Action { } if ($_SERVER['REQUEST_METHOD'] == 'POST') { + + # CSRF protection + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } + $this->remote_subscription(); } else { $this->show_form(); @@ -68,6 +76,7 @@ class RemotesubscribeAction extends Action { # button on profile page common_element_start('form', array('id' => 'remsub', 'method' => 'post', 'action' => common_local_url('remotesubscribe'))); + common_hidden('token', common_session_token()); common_input('nickname', _('User nickname'), $nickname, _('Nickname of the user you want to follow')); common_input('profile_url', _('Profile URL'), $profile, -- 2.39.5