Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-02-06 16:04:41 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Implement CSRF protection for deletion of an avatar

Browse Source
This commit is contained in:
Fedor A. Fetisov 2014-05-19 14:29:46 +04:00
parent 85a78c9cd1
commit 739adf3f89
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/mibew/operator/avatar.php
View File

@ -88,7 +88,7 @@ if (!$op) {
}
} else {
if (isset($_GET['delete']) && $_GET['delete'] == "true" && $canmodify) {
if (isset($_GET['act']) && $_GET['act'] == 'del' && $canmodify) {
update_operator_avatar($op['operatorid'], '');
header("Location: $mibewroot/operator/avatar.php?op=" . intval($opId));
exit;

2
src/mibew/view/avatar.php
View File

@ -50,7 +50,7 @@ require_once('inc_errors.php');
<div class="fvalue">
<img src="<?php echo safe_htmlspecialchars($page['avatar']) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("page_avatar.cannot_load_avatar")) ?>"/><br/>
<?php if($page['canmodify']) { ?>
<a class="formauth" href="<?php echo $mibewroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;delete=true">
<a class="formauth" href="<?php echo $mibewroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;act=del<?php print_csrf_token_in_url() ?>">
<?php echo getlocal("page_agent.clear_avatar") ?>
</a>
<?php } ?>