Skip to content
Permalink
Browse files Browse the repository at this point in the history
Only perform actions on post. Doing them on GET allows doing actions …
…from things like img tags which is not good.
  • Loading branch information
Isaac Connor committed Oct 3, 2022
1 parent 96b428e commit c0a4c05
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions web/index.php
Expand Up @@ -203,8 +203,12 @@
require_once $includeFile;
}

if ( isset($_REQUEST['action']) )
$action = detaintPath($_REQUEST['action']);
if (isset($_POST['action'])) {
# Actions can only be performed on POST because we don't check csrf on GETs.
$action = detaintPath($_POST['action']);
} else if (isset($_REQUEST['action'])) {
ZM\Error('actions can no longer be performed without POST.');
}

# The only variable we really need to set is action. The others are informal.
isset($view) || $view = NULL;
Expand Down

0 comments on commit c0a4c05

Please sign in to comment.