Changeset 6903


Ignore:
Timestamp:
09/13/10 22:17:41 (9 years ago)
Author:
nikrou
Message:

Fix bug 1856 : CSRF issue that allow to change admin password
Merge from trunk

Location:
branches/2.1
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.1/admin/profile.php

    r6364 r6903  
    2626$edit_user = build_user( $_GET['user_id'], false ); 
    2727 
     28if (!empty($_POST)) 
     29{ 
     30  check_pwg_token(); 
     31} 
     32 
    2833include_once(PHPWG_ROOT_PATH.'profile.php'); 
    29  
    3034 
    3135$errors = array(); 
  • branches/2.1/admin/themes/default/template/profile_content.tpl

    r6364 r6903  
    104104 
    105105  <p class="bottomButtons"> 
     106    <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}"> 
    106107    <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}"> 
    107108    <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}"> 
  • branches/2.1/profile.php

    r6364 r6903  
    3636  // +-----------------------------------------------------------------------+ 
    3737  check_status(ACCESS_CLASSIC); 
     38 
     39  if (!empty($_POST)) 
     40  { 
     41    check_pwg_token(); 
     42  } 
    3843 
    3944  $userdata = $user; 
     
    290295  trigger_action( 'load_profile_in_template', $userdata ); 
    291296 
     297  $template->assign('PWG_TOKEN', get_pwg_token()); 
    292298  $template->assign_var_from_handle('PROFILE_CONTENT', 'profile_content'); 
    293299} 
Note: See TracChangeset for help on using the changeset viewer.