diff options
| -rw-r--r-- | inc/actions.php | 18 | ||||
| -rw-r--r-- | inc/auth.php | 1 | ||||
| -rw-r--r-- | inc/form.php | 4 |
3 files changed, 19 insertions, 4 deletions
diff --git a/inc/actions.php b/inc/actions.php index d7c51282f..7330c8d95 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -39,8 +39,13 @@ function act_dispatch(){ } //login stuff - if(in_array($ACT,array('login','logout'))) - $ACT = act_auth($ACT); + if(in_array($ACT,array('login','logout'))){ + if(checkSecurityToken()){ + $ACT = act_auth($ACT); + }else{ + $ACT = 'show'; + } + } //check if user is asking to (un)subscribe a page if($ACT == 'subscribe' || $ACT == 'unsubscribe') @@ -66,8 +71,13 @@ function act_dispatch(){ } //save - if($ACT == 'save') - $ACT = act_save($ACT); + if($ACT == 'save'){ + if(checkSecurityToken()){ + $ACT = act_save($ACT); + }else{ + $ACT = 'show'; + } + } //cancel conflicting edit if($ACT == 'cancel') diff --git a/inc/auth.php b/inc/auth.php index 045ced066..3e5362a41 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -613,6 +613,7 @@ function updateprofile() { global $auth; if(empty($_POST['save'])) return false; + if(!checkSecurityToken()) return false; // should not be able to get here without Profile being possible... if(!$auth->canDo('Profile')) { diff --git a/inc/form.php b/inc/form.php index b011729ea..4e210ab07 100644 --- a/inc/form.php +++ b/inc/form.php @@ -51,6 +51,8 @@ class Doku_Form { /** * Constructor * + * Autoadds a security token + * * @param string $id ID attribute of the form. * @param string $action (optional) submit URL, defaults to DOKU_SCRIPT * @param string $method (optional) 'POST' or 'GET', default is post @@ -60,6 +62,8 @@ class Doku_Form { $this->id = $id; $this->action = ($action) ? $action : script(); if ($method) $this->method = $method; + + $this->addHidden('sectok', getSecurityToken()); } /** |