From da98ba662ea2af58c27eadecf444537ea07a04c7 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 14 Sep 2020 20:21:22 +0300 Subject: [PATCH] public/subscribe: require valid CSRF token when validating the form --- classes/handler/public.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index 135cdcbc7..7f8d01ad0 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -728,6 +728,7 @@ class Handler_Public extends Handler { if ($_SESSION["uid"]) { $feed_url = trim(clean($_REQUEST["feed_url"])); + $csrf_token = clean($_REQUEST["csrf_token"]); header('Content-Type: text/html; charset=utf-8'); ?> @@ -774,10 +775,11 @@ class Handler_Public extends Handler {
+
@@ -820,6 +822,7 @@ class Handler_Public extends Handler { print ""; print ""; + print_hidden("csrf_token", $_SESSION["csrf_token"]); print "
"; print "";