kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[wip] csrf check: moving the check to the right place: before authentication

This commit is contained in:
Benjamin Sonntag 2016-05-23 08:33:32 +02:00
parent aaa3d68697
commit 23a438de99
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
bureau/class/config.php
View File

@ -178,6 +178,17 @@ if ((variable_get('force_https', '0', "This variable is set to 0 (default) if us
} }
} }
// CHECK CSRF for ALL POSTS :
// you MUST add csrf_get(); after ALL <form method="post"> in AlternC !
if (count($_POST)) {
if (csrf_check()<=0) {
$error=$err->errstr();
require_once("main.php");
exit();
}
}
/* Check the User identity (if required) */ /* Check the User identity (if required) */
if (!defined('NOCHECK')) { if (!defined('NOCHECK')) {
if (!$mem->checkid()) { if (!$mem->checkid()) {
@ -209,17 +220,6 @@ if ($oldid && $oldid != $cuid) {
$isinvited = true; $isinvited = true;
} }
// CHECK CSRF for ALL POSTS :
// you MUST add <?php csrf_get(); ?> after ALL <form method="post" in AlternC !
if (count($_POST)) {
if (csrf_check()<=0) {
$error=$err->errstr();
require_once("main.php");
exit();
}
}
// Init some vars // Init some vars
variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string')); variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string'));