Skip to content

Commit c0a4c05

Browse files
author
Isaac Connor
committed
Only perform actions on post. Doing them on GET allows doing actions from things like img tags which is not good.
1 parent 96b428e commit c0a4c05

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

Diff for: web/index.php

+6-2
Original file line numberDiff line numberDiff line change
@@ -203,8 +203,12 @@
203203
require_once $includeFile;
204204
}
205205

206-
if ( isset($_REQUEST['action']) )
207-
$action = detaintPath($_REQUEST['action']);
206+
if (isset($_POST['action'])) {
207+
# Actions can only be performed on POST because we don't check csrf on GETs.
208+
$action = detaintPath($_POST['action']);
209+
} else if (isset($_REQUEST['action'])) {
210+
ZM\Error('actions can no longer be performed without POST.');
211+
}
208212

209213
# The only variable we really need to set is action. The others are informal.
210214
isset($view) || $view = NULL;

0 commit comments

Comments
 (0)