Mibew/tray
1
0
Fork 0
mirror of https://github.com/Mibew/tray.git synced 2025-10-03 00:03:34 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

add csrf token check to avatar upload

Browse Source
This commit is contained in:
YuFei Zhu 2012-05-01 12:58:05 +01:00 committed by Dmitriy Simushev
parent cb77595747
commit 7035c3feba
3 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/messenger/webim/libs/common.php
View File

@ -779,9 +779,11 @@ function csrfchecktoken(){
die("CSRF failure");
}
} else if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
} else if(isset($_GET['act'])){
if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){
die("CSRF failure");
die("CSRF failure");
}
}
}

4
src/messenger/webim/operator/avatar.php
View File

@ -23,6 +23,8 @@ require_once('../libs/common.php');
require_once('../libs/operator.php');
require_once('../libs/operator_settings.php');
csrfchecktoken();
$operator = check_login();
$opId = verifyparam("op", "/^\d{1,9}$/");
@ -102,4 +104,4 @@ prepare_menu($operator);
setup_operator_settings_tabs($opId, 1);
start_html_output();
require('../view/avatar.php');
?>
?>

3
src/messenger/webim/view/avatar.php
View File

@ -36,6 +36,7 @@ require_once('inc_errors.php');
?>
<form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
<?php print_csrf_token_input() ?>
<input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
<div>
<?php print_tabbar(); ?>
@ -97,4 +98,4 @@ require_once('inc_errors.php');
} /* content */
require_once('inc_main.php');
?>
?>