Skip to content

Commit 6ad1349

Browse files
committed
CSRF for file configuration URL
1 parent f59ffb0 commit 6ad1349

File tree

2 files changed

+8
-0
lines changed

2 files changed

+8
-0
lines changed

Diff for: lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php

+2
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@
1010

1111
<form action="" ng-non-bindable method="post">
1212

13+
<?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?>
14+
1315
<div class="row">
1416
<div class="col-6">
1517
<div class="form-group">

Diff for: lhc_web/modules/lhfile/configuration.php

+6
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@
77

88

99
if (isset($_POST['StoreFileConfiguration'])) {
10+
11+
if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
12+
erLhcoreClassModule::redirect('file/configuration');
13+
exit;
14+
}
15+
1016
$definition = array(
1117
'AllowedFileTypes' => new ezcInputFormDefinitionElement(
1218
ezcInputFormDefinitionElement::OPTIONAL, 'string'

0 commit comments

Comments
 (0)