From 6ac12c0b26cd870e17dee0521eeaaf9487b85553 Mon Sep 17 00:00:00 2001 From: nashe Date: Sat, 23 Dec 2017 21:08:44 +0100 Subject: Add CSRF token checks --- admin/administration.php | 2 ++ admin/changepassword.php | 4 +++- admin/index.php | 2 ++ admin/subscriptions.php | 4 ++++ 4 files changed, 11 insertions(+), 1 deletion(-) (limited to 'admin') diff --git a/admin/administration.php b/admin/administration.php index 34afe73..26f6710 100755 --- a/admin/administration.php +++ b/admin/administration.php @@ -24,6 +24,7 @@ $page_content = <<<"FRAGMENT"

{$l10n->getString('Clear cache')}

+

{$l10n->getString('Clearing the cache will make moonmoon reload all feeds.')}

@@ -32,6 +33,7 @@ $page_content = <<<"FRAGMENT"

{$l10n->getString('Change administrator password')}

+

diff --git a/admin/changepassword.php b/admin/changepassword.php index 8c38769..3b4500e 100644 --- a/admin/changepassword.php +++ b/admin/changepassword.php @@ -1,7 +1,9 @@ verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) { $out = ''; file_put_contents(__DIR__.'/inc/pwd.inc.php', $out); die("Password changed. Login"); diff --git a/admin/index.php b/admin/index.php index a01b77b..0118923 100755 --- a/admin/index.php +++ b/admin/index.php @@ -79,6 +79,7 @@ ob_start();

+
@@ -87,6 +88,7 @@ ob_start();

+

diff --git a/admin/subscriptions.php b/admin/subscriptions.php index f8e4c2c..0606c89 100755 --- a/admin/subscriptions.php +++ b/admin/subscriptions.php @@ -7,6 +7,10 @@ function removeSlashes(&$item, $key){ $item = stripslashes($item); } +if (!$csrf->verify($_POST['_csrf'], 'feedmanage')) { + die('Invalid CSRF token!'); +} + if (isset($_POST['opml']) || isset($_POST['add'])) { // Load config and old OPML -- cgit v1.2.1