From 739adf3f899f699907a58616014459e17c0af4b0 Mon Sep 17 00:00:00 2001
From: "Fedor A. Fetisov" <faf@ossg.ru>
Date: Mon, 19 May 2014 14:29:46 +0400
Subject: [PATCH] Implement CSRF protection for deletion of an avatar

---
 src/mibew/operator/avatar.php | 2 +-
 src/mibew/view/avatar.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/mibew/operator/avatar.php b/src/mibew/operator/avatar.php
index d9dd76d8..bab8c2ec 100644
--- a/src/mibew/operator/avatar.php
+++ b/src/mibew/operator/avatar.php
@@ -88,7 +88,7 @@ if (!$op) {
 	}
 
 } else {
-	if (isset($_GET['delete']) && $_GET['delete'] == "true" && $canmodify) {
+	if (isset($_GET['act']) && $_GET['act'] == 'del' && $canmodify) {
 		update_operator_avatar($op['operatorid'], '');
 		header("Location: $mibewroot/operator/avatar.php?op=" . intval($opId));
 		exit;
diff --git a/src/mibew/view/avatar.php b/src/mibew/view/avatar.php
index 69876c58..c39a632d 100644
--- a/src/mibew/view/avatar.php
+++ b/src/mibew/view/avatar.php
@@ -50,7 +50,7 @@ require_once('inc_errors.php');
 			<div class="fvalue">
 				<img src="<?php echo safe_htmlspecialchars($page['avatar']) ?>" alt="<?php echo safe_htmlspecialchars(getlocal("page_avatar.cannot_load_avatar")) ?>"/><br/>
 <?php if($page['canmodify']) { ?>
-                <a class="formauth" href="<?php echo $mibewroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;delete=true">
+                <a class="formauth" href="<?php echo $mibewroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;act=del<?php print_csrf_token_in_url() ?>">
                     <?php echo getlocal("page_agent.clear_avatar") ?>
                 </a>
 <?php } ?>