diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2007-08-30 21:14:29 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2007-08-30 21:14:29 +0200 |
| commit | 1b2a85e896db1404d2d5fa709f4c86d6c58fc3f4 (patch) | |
| tree | 43dcbe7e9413748e6ca47e510666b3c76dc40992 /inc/actions.php | |
| parent | 634d7150e59d03e4a4987164bfe9948fb8828c70 (diff) | |
| download | rpg-1b2a85e896db1404d2d5fa709f4c86d6c58fc3f4.tar.gz rpg-1b2a85e896db1404d2d5fa709f4c86d6c58fc3f4.tar.bz2 | |
Part 2 of the SecurityToken patch to avaoid CSRF attacks
This patch adds a security token to all forms generated through the new
form class. However it is only checked for possible dangerous actions like
editing or profile changes.
darcs-hash:20070830191429-7ad00-445efea47a09a4823dfe9e3434ba5b355a80daf6.gz
Diffstat (limited to 'inc/actions.php')
| -rw-r--r-- | inc/actions.php | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/inc/actions.php b/inc/actions.php index d7c51282f..7330c8d95 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -39,8 +39,13 @@ function act_dispatch(){ } //login stuff - if(in_array($ACT,array('login','logout'))) - $ACT = act_auth($ACT); + if(in_array($ACT,array('login','logout'))){ + if(checkSecurityToken()){ + $ACT = act_auth($ACT); + }else{ + $ACT = 'show'; + } + } //check if user is asking to (un)subscribe a page if($ACT == 'subscribe' || $ACT == 'unsubscribe') @@ -66,8 +71,13 @@ function act_dispatch(){ } //save - if($ACT == 'save') - $ACT = act_save($ACT); + if($ACT == 'save'){ + if(checkSecurityToken()){ + $ACT = act_save($ACT); + }else{ + $ACT = 'show'; + } + } //cancel conflicting edit if($ACT == 'cancel') |