From 6320da67e4f031e5d47c74ecaea477c2e721f99a Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 11 Nov 2019 20:35:09 +0100
Subject: [ticket/security-249] Do not handle avatar submit on invalid token

SECURITY-249
---
 phpBB/includes/ucp/ucp_groups.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'phpBB/includes/ucp/ucp_groups.php')

diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php
index 2423af86be..24b94126b0 100644
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@@ -534,7 +534,12 @@ class ucp_groups
 								'teampage'	=> $group_row['group_teampage'],
 							);
 
-							if ($config['allow_avatar'])
+							if (!check_form_key('ucp_groups'))
+							{
+								$error[] = $user->lang['FORM_INVALID'];
+							}
+
+							if (!count($error) && $config['allow_avatar'])
 							{
 								// Handle avatar
 								$driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', ''));
@@ -556,11 +561,6 @@ class ucp_groups
 								$error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error));
 							}
 
-							if (!check_form_key('ucp_groups'))
-							{
-								$error[] = $user->lang['FORM_INVALID'];
-							}
-
 							// Validate submitted colour value
 							if ($colour_error = validate_data($submit_ary, array('colour'	=> array('hex_colour', true))))
 							{
-- 
cgit v1.2.1


From 4f007321e19e18e9166c4df2e8cb0d98d17fc14c Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 24 Dec 2019 12:44:16 +0100
Subject: [ticket/security-250] Check form key when approving group membership

SECURITY-250
---
 phpBB/includes/ucp/ucp_groups.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'phpBB/includes/ucp/ucp_groups.php')

diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php
index 24b94126b0..cf6e049748 100644
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@@ -875,6 +875,11 @@ class ucp_groups
 							trigger_error($user->lang['NO_GROUP'] . $return_page);
 						}
 
+						if (!check_form_key('ucp_groups'))
+						{
+							trigger_error($user->lang('FORM_INVALID') . $return_page);
+						}
+
 						if (!($row = group_memberships($group_id, $user->data['user_id'])))
 						{
 							trigger_error($user->lang['NOT_MEMBER_OF_GROUP'] . $return_page);
-- 
cgit v1.2.1