Changeset 6897


Ignore:
Timestamp:
Sep 13, 2010, 9:40:42 PM (10 years ago)
Author:
nikrou
Message:

Fix bug 1856 : CSRF issue that allow to change admin password

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/profile.php

    r6363 r6897  
    2626$edit_user = build_user( $_GET['user_id'], false );
    2727
     28if (!empty($_POST))
     29{
     30  check_pwg_token();
     31}
     32
    2833include_once(PHPWG_ROOT_PATH.'profile.php');
    29 
    3034
    3135$errors = array();
  • trunk/admin/themes/default/template/profile_content.tpl

    r6363 r6897  
    104104
    105105  <p class="bottomButtons">
     106    <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
    106107    <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}">
    107108    <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}">
  • trunk/profile.php

    r6363 r6897  
    3636  // +-----------------------------------------------------------------------+
    3737  check_status(ACCESS_CLASSIC);
     38
     39  if (!empty($_POST))
     40  {
     41    check_pwg_token();
     42  }
    3843
    3944  $userdata = $user;
     
    290295  trigger_action( 'load_profile_in_template', $userdata );
    291296
     297  $template->assign('PWG_TOKEN', get_pwg_token());
    292298  $template->assign_var_from_handle('PROFILE_CONTENT', 'profile_content');
    293299}
Note: See TracChangeset for help on using the changeset viewer.