From 7be1e3ed38baf8233b7f6733db3f57859c1b2086 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 17 Feb 2021 15:04:39 +0300 Subject: [PATCH] pluginhandler: reject method requests without CSRF --- classes/pluginhandler.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php index 3fd823aa8..a0e60b4e6 100644 --- a/classes/pluginhandler.php +++ b/classes/pluginhandler.php @@ -14,8 +14,8 @@ class PluginHandler extends Handler_Protected { if (validate_csrf($csrf_token)) { $plugin->$method(); } else { - user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED); - $plugin->$method(); + user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING); + print error_json(6); } } else { user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);