Skip to content
Permalink
Browse files Browse the repository at this point in the history
MainController, Blog Themes: protect against CSRF
My thanks to @fleetcaptain for the report.
  • Loading branch information
xenocrat committed Jan 6, 2017
1 parent a197ea2 commit 79bb2de
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 0 deletions.
3 changes: 3 additions & 0 deletions includes/controller/Main.php
Expand Up @@ -620,6 +620,9 @@ public function controls() {
if (!empty($_POST)) {
$visitor = Visitor::current();

if (!isset($_POST['hash']) or $_POST['hash'] != token($_SERVER["REMOTE_ADDR"]))
Flash::warning(__("Invalid security key."));

if (!empty($_POST['new_password1']))
if (empty($_POST['new_password2']) or $_POST['new_password1'] != $_POST['new_password2'])
Flash::warning(__("Passwords do not match."));
Expand Down
1 change: 1 addition & 0 deletions themes/blossom/forms/user/controls.twig
Expand Up @@ -18,6 +18,7 @@
<div class="doaction">
<button name="submit" type="submit" id="submit" tabindex="4">{{ "Update" | translate }}</button>
</div>
<input type="hidden" name="hash" value="{{ ip | token }}" id="hash">
</form>
</div>
{% endblock %}
1 change: 1 addition & 0 deletions themes/sparrow/forms/user/controls.twig
Expand Up @@ -18,6 +18,7 @@
<div class="doaction">
<button name="submit" type="submit" id="submit" tabindex="4">{{ "Update" | translate }}</button>
</div>
<input type="hidden" name="hash" value="{{ ip | token }}" id="hash">
</form>
</div>
{% endblock %}
1 change: 1 addition & 0 deletions themes/topaz/forms/user/controls.twig
Expand Up @@ -18,6 +18,7 @@
<div class="doaction">
<button name="submit" type="submit" id="submit" tabindex="4">{{ "Update" | translate }}</button>
</div>
<input type="hidden" name="hash" value="{{ ip | token }}" id="hash">
</form>
</div>
{% endblock %}
1 change: 1 addition & 0 deletions themes/umbra/forms/user/controls.twig
Expand Up @@ -18,6 +18,7 @@
<div class="doaction">
<button name="submit" type="submit" id="submit" tabindex="4">{{ "Update" | translate }}</button>
</div>
<input type="hidden" name="hash" value="{{ ip | token }}" id="hash">
</form>
</div>
{% endblock %}

0 comments on commit 79bb2de

Please sign in to comment.