Skip to content

Commit cce47f9

Browse files
committed
Fixed possible direct calls
1 parent 3c75f87 commit cce47f9

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

Diff for: phpmyfaq/admin/stat.ratings.php

+11-2
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,8 @@
4141
<i aria-hidden="true" class="fa fa-tasks"></i> <?php echo $PMF_LANG['ad_rs'] ?>
4242

4343
<div class="pull-right">
44-
<a class="btn btn-danger" href="?action=clear-statistics">
44+
<a class="btn btn-danger"
45+
href="?action=clear-statistics&csrf=<?php echo $user->getCsrfTokenFromSession() ?>">
4546
<i aria-hidden="true" class="fa fa-trash"></i> <?php echo $PMF_LANG['ad_delete_all_votings'] ?>
4647
</a>
4748
</div>
@@ -50,7 +51,15 @@
5051
</header>
5152

5253
<?php
53-
if ('clear-statistics' === $action) {
54+
$csrfToken = PMF_Filter::filterInput(INPUT_GET, 'csrf', FILTER_SANITIZE_STRING);
55+
56+
if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
57+
$clearStatistics = false;
58+
} else {
59+
$clearStatistics = true;
60+
}
61+
62+
if ('clear-statistics' === $action && $clearStatistics) {
5463
if ($ratings->deleteAll()) {
5564
echo '<p class="alert alert-success">Statistics successfully deleted.</p>';
5665
} else {

0 commit comments

Comments
 (0)