Don't check for CSRF attacks when no user is logged in FS#1619

Ignore-this: 3ef4fafa34a7bbba76435b5db6935b57 There is no need to fight against a privilege stealing attack when the attacked user has no privileges. Skipping the check reenables editing without cookies again. darcs-hash:20090527112243-7ad00-c1acd3161ececf3d922d5842033cb7d3f1910a16.gz
author: Andreas Gohr <andi@splitbrain.org> 2009-05-27 13:22:43 +0200
committer: Andreas Gohr <andi@splitbrain.org> 2009-05-27 13:22:43 +0200
commit: df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e (patch)
tree: 658ddff26a3b906b20d342e2729b5d8666ca0bf2 /inc/common.php
parent: a3a8a0291c95b59fcf8b0f38a9ce348f222d0251 (diff)
download: rpg-df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e.tar.gz
rpg-df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/inc/common.php b/inc/common.php
index c056e8f31..dfc563b7f 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -68,6 +68,8 @@ function getSecurityToken(){
  * Check the secret CSRF token
  */
 function checkSecurityToken($token=null){
+  if(!$_SERVER['REMOTE_USER']) return true; // no logged in user, no need for a check
+
   if(is_null($token)) $token = $_REQUEST['sectok'];
   if(getSecurityToken() != $token){
     msg('Security Token did not match. Possible CSRF attack.',-1);
author	Andreas Gohr <andi@splitbrain.org>	2009-05-27 13:22:43 +0200
committer	Andreas Gohr <andi@splitbrain.org>	2009-05-27 13:22:43 +0200
commit	df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e (patch)
tree	658ddff26a3b906b20d342e2729b5d8666ca0bf2 /inc/common.php
parent	a3a8a0291c95b59fcf8b0f38a9ce348f222d0251 (diff)
download	rpg-df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e.tar.gz rpg-df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e.tar.bz2