gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-09-09 11:29:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add csrf protection

Browse Source
This commit is contained in:
Uwe Steinmann 2021-01-25 09:08:40 +01:00
parent ef20172f57
commit 44813338b1
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
op/op.EditUserData.php
View File

@ -37,6 +37,11 @@ if (!$user->isAdmin() && ($settings->_disableSelfEdit)) {
UI::exitError(getMLText("edit_user_details"),getMLText("access_denied")); UI::exitError(getMLText("edit_user_details"),getMLText("access_denied"));
} }
/* Check if the form data comes from a trusted request */
if(!checkFormKey('edituserdata')) {
UI::exitError(getMLText("edit_user_details"),getMLText("invalid_request_token"));
}
$fullname = $_POST["fullname"]; $fullname = $_POST["fullname"];
$email = $_POST["email"]; $email = $_POST["email"];
$comment = $_POST["comment"]; $comment = $_POST["comment"];

1
views/bootstrap/class.EditUserData.php
View File

@ -103,6 +103,7 @@ $(document).ready( function() {
$this->contentContainerStart(); $this->contentContainerStart();
?> ?>
<form class="form-horizontal" action="../op/op.EditUserData.php" enctype="multipart/form-data" method="post" id="form"> <form class="form-horizontal" action="../op/op.EditUserData.php" enctype="multipart/form-data" method="post" id="form">
<?php echo createHiddenFieldWithKey('edituserdata'); ?>
<?php <?php
$this->formField( $this->formField(
getMLText("current_password"), getMLText("current_password"),