gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-13 13:11:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add csrf protection

Browse Source
This commit is contained in:
Uwe Steinmann 2021-01-25 09:00:03 +01:00
parent d84978eb3d
commit 6dbcd3362f
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
op/op.AddEvent.php
View File

@ -34,6 +34,11 @@ if ($user->isGuest()) {
UI::exitError(getMLText("edit_event"),getMLText("access_denied")); UI::exitError(getMLText("edit_event"),getMLText("access_denied"));
} }
/* Check if the form data comes from a trusted request */
if(!checkFormKey('addevent')) {
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
}
if (!isset($_POST["from"]) && !(isset($_POST["frommonth"]) && isset($_POST["fromday"]) && isset($_POST["fromyear"])) ) { if (!isset($_POST["from"]) && !(isset($_POST["frommonth"]) && isset($_POST["fromday"]) && isset($_POST["fromyear"])) ) {
UI::exitError(getMLText("add_event"),getMLText("error_occured")); UI::exitError(getMLText("add_event"),getMLText("error_occured"));
} }

1
views/bootstrap/class.AddEvent.php
View File

@ -84,6 +84,7 @@ $(document).ready(function() {
?> ?>
<form class="form-horizontal" action="../op/op.AddEvent.php" id="form1" name="form1" method="post"> <form class="form-horizontal" action="../op/op.AddEvent.php" id="form1" name="form1" method="post">
<?php echo createHiddenFieldWithKey('addevent'); ?>
<?php <?php
$this->formField( $this->formField(