sec(2FA) apply CSRF check

tsolucio · Jun 2, 2023 · 2e415fb · 2e415fb
1 parent 659e328
commit 2e415fb
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/Smarty/templates/modules/Utilities/2fa.tpl b/Smarty/templates/modules/Utilities/2fa.tpl
@@ -13,7 +13,7 @@
 	</header>
 	<div class="slds-modal__content slds-app-launcher__content slds-p-around_medium">
 		{include file='applicationmessage.tpl'}
-		<form role="form" style="margin:0 100px;" name="faform">
+		<form role="form" style="margin:0 100px;" name="faform" method="post">
 		<input type="hidden" name="module" value="Utilities">
 		<input type="hidden" name="action" value="integration">
 		<input type="hidden" name="_op" id="_op" value="setconfig2fa">

diff --git a/include/integrations/2fa/settings.php b/include/integrations/2fa/settings.php
@@ -27,6 +27,7 @@
 $do2FA = GlobalVariable::getVariable('User_2FAAuthentication', 0, 'Users', $userid);
 $isAppActive = ($do2FA==1);
 if (!empty($userid) && $_REQUEST['_op']=='setconfig2fa' && $isPermitted=='yes') {
+	Vtiger_Request::validateRequest();
 	$isFormActive = ((empty($_REQUEST['2faactive']) || $_REQUEST['2faactive']!='on') ? '0' : '1');
 	$crmEntityTable = CRMEntity::getcrmEntityTableAlias('GlobalVariable');
 	$recexists = $adb->pquery(