public/subscribe: require valid CSRF token when validating the form

master
Andrew Dolgov 4 years ago
parent b4cb67e77f
commit da98ba662e

@ -728,6 +728,7 @@ class Handler_Public extends Handler {
if ($_SESSION["uid"]) {
$feed_url = trim(clean($_REQUEST["feed_url"]));
$csrf_token = clean($_REQUEST["csrf_token"]);
header('Content-Type: text/html; charset=utf-8');
?>
@ -774,10 +775,11 @@ class Handler_Public extends Handler {
<div class='content'>
<?php
if (!$feed_url) {
if (!$feed_url || $csrf_token != $_SESSION["csrf_token"]) {
?>
<form method="post">
<input type="hidden" name="op" value="subscribe">
<?php print_hidden("csrf_token", $_SESSION["csrf_token"]) ?>
<fieldset>
<label>Feed or site URL:</label>
<input style="width: 300px" dojoType="dijit.form.ValidationTextBox" required="1" name="feed_url">
@ -820,6 +822,7 @@ class Handler_Public extends Handler {
print "<form action='public.php'>";
print "<input type='hidden' name='op' value='subscribe'>";
print_hidden("csrf_token", $_SESSION["csrf_token"]);
print "<fieldset>";
print "<label style='display : inline'>" . __("Multiple feed URLs found:") . "</label>";

Loading…
Cancel
Save