add csrf token check to avatar upload

src/messenger/webim/libs/common.php

@@ -702,11 +702,13 @@ function csrfchecktoken(){
 
       die("CSRF failure");
     }
-  } else if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
+  } else if(isset($_GET['act'])){
+    if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
       
       die("CSRF failure");
     }
   }
+}
 
 /* print csrf token as a hidden field*/
 function print_csrf_token_input(){

src/messenger/webim/operator/avatar.php

@@ -23,6 +23,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 
+csrfchecktoken();
+
 $operator = check_login();
 
 $opId = verifyparam("op", "/^\d{1,9}$/");

src/messenger/webim/view/avatar.php

@@ -36,6 +36,7 @@ require_once('inc_errors.php');
 ?>
 
 <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>