From e4be5385ca850b852e701d65eeeb6c87e17ea2f2 Mon Sep 17 00:00:00 2001
From: YuFei Zhu <phil@mohc.net>
Date: Tue, 1 May 2012 12:58:05 +0100
Subject: [PATCH] add csrf token check to avatar upload

---
 src/messenger/webim/libs/common.php     | 6 ++++--
 src/messenger/webim/operator/avatar.php | 4 +++-
 src/messenger/webim/view/avatar.php     | 3 ++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index f6cc16e5..a1138da7 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -702,9 +702,11 @@ function csrfchecktoken(){
 
       die("CSRF failure");
     }
-  } else if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
+  } else if(isset($_GET['act'])){
+    if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
       
-    die("CSRF failure");
+      die("CSRF failure");
+    }
   }
 }
 
diff --git a/src/messenger/webim/operator/avatar.php b/src/messenger/webim/operator/avatar.php
index 9bb0545f..2479adac 100644
--- a/src/messenger/webim/operator/avatar.php
+++ b/src/messenger/webim/operator/avatar.php
@@ -23,6 +23,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 
+csrfchecktoken();
+
 $operator = check_login();
 
 $opId = verifyparam("op", "/^\d{1,9}$/");
@@ -102,4 +104,4 @@ prepare_menu($operator);
 setup_operator_settings_tabs($opId, 1);
 start_html_output();
 require('../view/avatar.php');
-?>
\ No newline at end of file
+?>
diff --git a/src/messenger/webim/view/avatar.php b/src/messenger/webim/view/avatar.php
index cf584b92..3219f8ce 100644
--- a/src/messenger/webim/view/avatar.php
+++ b/src/messenger/webim/view/avatar.php
@@ -36,6 +36,7 @@ require_once('inc_errors.php');
 ?>
 
 <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>
@@ -97,4 +98,4 @@ require_once('inc_errors.php');
 } /* content */
 
 require_once('inc_main.php');
-?>
\ No newline at end of file
+?>