diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2009-05-27 13:22:43 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2009-05-27 13:22:43 +0200 |
| commit | df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e (patch) | |
| tree | 658ddff26a3b906b20d342e2729b5d8666ca0bf2 | |
| parent | a3a8a0291c95b59fcf8b0f38a9ce348f222d0251 (diff) | |
| download | rpg-df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e.tar.gz rpg-df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e.tar.bz2 | |
Don't check for CSRF attacks when no user is logged in FS#1619
Ignore-this: 3ef4fafa34a7bbba76435b5db6935b57
There is no need to fight against a privilege stealing attack when the
attacked user has no privileges.
Skipping the check reenables editing without cookies again.
darcs-hash:20090527112243-7ad00-c1acd3161ececf3d922d5842033cb7d3f1910a16.gz
| -rw-r--r-- | inc/common.php | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/inc/common.php b/inc/common.php index c056e8f31..dfc563b7f 100644 --- a/inc/common.php +++ b/inc/common.php @@ -68,6 +68,8 @@ function getSecurityToken(){ * Check the secret CSRF token */ function checkSecurityToken($token=null){ + if(!$_SERVER['REMOTE_USER']) return true; // no logged in user, no need for a check + if(is_null($token)) $token = $_REQUEST['sectok']; if(getSecurityToken() != $token){ msg('Security Token did not match. Possible CSRF attack.',-1); |