public/subscribe: require valid CSRF token when validating the form
This commit is contained in:
parent
b4cb67e77f
commit
da98ba662e
|
@ -728,6 +728,7 @@ class Handler_Public extends Handler {
|
||||||
if ($_SESSION["uid"]) {
|
if ($_SESSION["uid"]) {
|
||||||
|
|
||||||
$feed_url = trim(clean($_REQUEST["feed_url"]));
|
$feed_url = trim(clean($_REQUEST["feed_url"]));
|
||||||
|
$csrf_token = clean($_REQUEST["csrf_token"]);
|
||||||
|
|
||||||
header('Content-Type: text/html; charset=utf-8');
|
header('Content-Type: text/html; charset=utf-8');
|
||||||
?>
|
?>
|
||||||
|
@ -774,10 +775,11 @@ class Handler_Public extends Handler {
|
||||||
<div class='content'>
|
<div class='content'>
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
if (!$feed_url) {
|
if (!$feed_url || $csrf_token != $_SESSION["csrf_token"]) {
|
||||||
?>
|
?>
|
||||||
<form method="post">
|
<form method="post">
|
||||||
<input type="hidden" name="op" value="subscribe">
|
<input type="hidden" name="op" value="subscribe">
|
||||||
|
<?php print_hidden("csrf_token", $_SESSION["csrf_token"]) ?>
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<label>Feed or site URL:</label>
|
<label>Feed or site URL:</label>
|
||||||
<input style="width: 300px" dojoType="dijit.form.ValidationTextBox" required="1" name="feed_url">
|
<input style="width: 300px" dojoType="dijit.form.ValidationTextBox" required="1" name="feed_url">
|
||||||
|
@ -820,6 +822,7 @@ class Handler_Public extends Handler {
|
||||||
|
|
||||||
print "<form action='public.php'>";
|
print "<form action='public.php'>";
|
||||||
print "<input type='hidden' name='op' value='subscribe'>";
|
print "<input type='hidden' name='op' value='subscribe'>";
|
||||||
|
print_hidden("csrf_token", $_SESSION["csrf_token"]);
|
||||||
|
|
||||||
print "<fieldset>";
|
print "<fieldset>";
|
||||||
print "<label style='display : inline'>" . __("Multiple feed URLs found:") . "</label>";
|
print "<label style='display : inline'>" . __("Multiple feed URLs found:") . "</label>";
|
||||||
|
|
Loading…
Reference in New Issue