aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2019-07-01 20:56:17 +0200
committerMarc Alexander <admin@m-a-styles.de>2019-08-24 22:23:38 +0200
commit6c8d0063368a1815a270d97dc0defdee0f6bf027 (patch)
treebb6437a0d73da406509de9f51752d775b4b60011
parent56477a8f7c1421ecc01f15258f0739ce8438db32 (diff)
downloadforums-6c8d0063368a1815a270d97dc0defdee0f6bf027.tar
forums-6c8d0063368a1815a270d97dc0defdee0f6bf027.tar.gz
forums-6c8d0063368a1815a270d97dc0defdee0f6bf027.tar.bz2
forums-6c8d0063368a1815a270d97dc0defdee0f6bf027.tar.xz
forums-6c8d0063368a1815a270d97dc0defdee0f6bf027.zip
[ticket/security/244] Add parse_attachment form token check to posting.php
SECURITY-244
-rw-r--r--phpBB/posting.php5
1 files changed, 4 insertions, 1 deletions
diff --git a/phpBB/posting.php b/phpBB/posting.php
index 5089448483..595d0f0c06 100644
--- a/phpBB/posting.php
+++ b/phpBB/posting.php
@@ -974,7 +974,10 @@ if ($submit || $preview || $refresh)
}
// Parse Attachments - before checksum is calculated
- $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh);
+ if ($message_parser->check_attachment_form_token($language, $request, 'posting'))
+ {
+ $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh);
+ }
/**
* This event allows you to modify message text before parsing