diff options
author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2010-03-28 07:00:30 +0000 |
---|---|---|
committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2010-03-28 07:00:30 +0000 |
commit | 3359fb5c1cd034aedc05fb961a3360f04a379c49 (patch) | |
tree | efcf93ada9c929ad7c7502d8d5c88cccad7411e2 /modules/comment/comment.pages.inc | |
parent | 3520ea515364a528d06fc8ad477a103ff168a1f7 (diff) | |
download | brdo-3359fb5c1cd034aedc05fb961a3360f04a379c49.tar.gz brdo-3359fb5c1cd034aedc05fb961a3360f04a379c49.tar.bz2 |
#66264 by boombatower, grendzy, et al: Remove CSRF vulnerability from comment module.
Diffstat (limited to 'modules/comment/comment.pages.inc')
-rw-r--r-- | modules/comment/comment.pages.inc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/modules/comment/comment.pages.inc b/modules/comment/comment.pages.inc index 4156beb18..948fcad11 100644 --- a/modules/comment/comment.pages.inc +++ b/modules/comment/comment.pages.inc @@ -107,6 +107,9 @@ function comment_reply($node, $pid = NULL) { * A comment identifier. */ function comment_approve($cid) { + if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], "comment/$cid/approve")) { + return MENU_ACCESS_DENIED; + } if ($comment = comment_load($cid)) { $comment->status = COMMENT_PUBLISHED; comment_save($comment); |