diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2019-06-30 22:40:34 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2019-08-24 22:23:38 +0200 |
| commit | 56477a8f7c1421ecc01f15258f0739ce8438db32 (patch) | |
| tree | 2361500844ecae27a61ce2b9e481fd79c6c059db /phpBB/includes/ucp/ucp_pm_compose.php | |
| parent | 525c940385ef8efb57fb812a8317833d7790e30a (diff) | |
| download | forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar.gz forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar.bz2 forums-56477a8f7c1421ecc01f15258f0739ce8438db32.tar.xz forums-56477a8f7c1421ecc01f15258f0739ce8438db32.zip | |
[ticket/security/244] Add form token check to plupload
SECURTIY-244
Diffstat (limited to 'phpBB/includes/ucp/ucp_pm_compose.php')
| -rw-r--r-- | phpBB/includes/ucp/ucp_pm_compose.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index cb45112b01..06baa279a5 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -26,7 +26,7 @@ if (!defined('IN_PHPBB')) function compose_pm($id, $mode, $action, $user_folders = array()) { global $template, $db, $auth, $user, $cache; - global $phpbb_root_path, $phpEx, $config; + global $phpbb_root_path, $phpEx, $config, $language; global $request, $phpbb_dispatcher, $phpbb_container; // Damn php and globals - i know, this is horrible @@ -799,7 +799,10 @@ function compose_pm($id, $mode, $action, $user_folders = array()) extract($phpbb_dispatcher->trigger_event('core.ucp_pm_compose_modify_parse_before', compact($vars))); // Parse Attachments - before checksum is calculated - $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true); + if ($message_parser->check_attachment_form_token($language, $request, 'ucp_pm_compose')) + { + $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true); + } if (count($message_parser->warn_msg) && !($remove_u || $remove_g || $add_to || $add_bcc)) { |