diff options
| author | Tristan Darricau <github@nicofuma.fr> | 2016-09-18 21:12:19 +0200 |
|---|---|---|
| committer | Tristan Darricau <github@nicofuma.fr> | 2016-09-18 21:12:19 +0200 |
| commit | bc08813866a4496b88777a5d152f601ac521fef1 (patch) | |
| tree | 47a1c4bd25564b2d3b037e3f2cc2adc11129b35b /phpBB/includes/acp/acp_reasons.php | |
| parent | 27e33f39f7553d2f24fdeae004810493f063265d (diff) | |
| parent | 72f6241aa2c6d129c8c49380d84fd915d589aa6c (diff) | |
| download | forums-bc08813866a4496b88777a5d152f601ac521fef1.tar forums-bc08813866a4496b88777a5d152f601ac521fef1.tar.gz forums-bc08813866a4496b88777a5d152f601ac521fef1.tar.bz2 forums-bc08813866a4496b88777a5d152f601ac521fef1.tar.xz forums-bc08813866a4496b88777a5d152f601ac521fef1.zip | |
Merge pull request #4452 from marc1706/ticket/14789
[ticket/14789] Further harden ACP link and form checks
* marc1706/ticket/14789:
[ticket/14789] Add form tokens to tests and uncomment add_form_key
[ticket/14789] Add link hashes and form tokens to all acp links/buttons
Diffstat (limited to 'phpBB/includes/acp/acp_reasons.php')
| -rw-r--r-- | phpBB/includes/acp/acp_reasons.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/phpBB/includes/acp/acp_reasons.php b/phpBB/includes/acp/acp_reasons.php index 3d7ccf422c..bd40a88138 100644 --- a/phpBB/includes/acp/acp_reasons.php +++ b/phpBB/includes/acp/acp_reasons.php @@ -282,6 +282,11 @@ class acp_reasons case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_reasons')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT reason_order FROM ' . REPORTS_REASONS_TABLE . " WHERE reason_id = $reason_id"; @@ -383,8 +388,8 @@ class acp_reasons 'U_EDIT' => $this->u_action . '&action=edit&id=' . $row['reason_id'], 'U_DELETE' => (!$other_reason) ? $this->u_action . '&action=delete&id=' . $row['reason_id'] : '', - 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'], - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id']) + 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons')) ); } $db->sql_freeresult($result); |