From 1b2a85e896db1404d2d5fa709f4c86d6c58fc3f4 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Thu, 30 Aug 2007 21:14:29 +0200
Subject: Part 2 of the SecurityToken patch to avaoid CSRF attacks

This patch adds a security token to all forms generated through the new
form class. However it is only checked for possible dangerous actions like
editing or profile changes.

darcs-hash:20070830191429-7ad00-445efea47a09a4823dfe9e3434ba5b355a80daf6.gz
---
 inc/auth.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index 045ced066..3e5362a41 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -613,6 +613,7 @@ function updateprofile() {
   global $auth;
 
   if(empty($_POST['save'])) return false;
+  if(!checkSecurityToken()) return false;
 
   // should not be able to get here without Profile being possible...
   if(!$auth->canDo('Profile')) {
-- 
cgit v1.2.3