diff options
author | nikrou <nikrou@piwigo.org> | 2010-09-13 19:40:42 +0000 |
---|---|---|
committer | nikrou <nikrou@piwigo.org> | 2010-09-13 19:40:42 +0000 |
commit | 54211267437a7f9f6b648f811b87b8b1f030e32c (patch) | |
tree | 66363b98e0f556f923f16c2f66225b1f25a99609 /admin | |
parent | 0dc214e93e8998f9d7d01041707cc9fe33221c32 (diff) |
Fix bug 1856 : CSRF issue that allow to change admin password
git-svn-id: http://piwigo.org/svn/trunk@6897 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'admin')
-rw-r--r-- | admin/profile.php | 6 | ||||
-rw-r--r-- | admin/themes/default/template/profile_content.tpl | 1 |
2 files changed, 6 insertions, 1 deletions
diff --git a/admin/profile.php b/admin/profile.php index f1d5e08e3..ebb372518 100644 --- a/admin/profile.php +++ b/admin/profile.php @@ -25,8 +25,12 @@ if( !defined("PHPWG_ROOT_PATH") ) die ("Hacking attempt!"); $edit_user = build_user( $_GET['user_id'], false ); -include_once(PHPWG_ROOT_PATH.'profile.php'); +if (!empty($_POST)) +{ + check_pwg_token(); +} +include_once(PHPWG_ROOT_PATH.'profile.php'); $errors = array(); if ( !is_adviser() ) diff --git a/admin/themes/default/template/profile_content.tpl b/admin/themes/default/template/profile_content.tpl index 57dba40d1..6b42863ad 100644 --- a/admin/themes/default/template/profile_content.tpl +++ b/admin/themes/default/template/profile_content.tpl @@ -103,6 +103,7 @@ </fieldset> <p class="bottomButtons"> + <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}"> <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}"> <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}"> </p> |