From 54211267437a7f9f6b648f811b87b8b1f030e32c Mon Sep 17 00:00:00 2001 From: nikrou Date: Mon, 13 Sep 2010 19:40:42 +0000 Subject: Fix bug 1856 : CSRF issue that allow to change admin password git-svn-id: http://piwigo.org/svn/trunk@6897 68402e56-0260-453c-a942-63ccdbb3a9ee --- profile.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'profile.php') diff --git a/profile.php b/profile.php index fbbe46df1..547fc8ba1 100644 --- a/profile.php +++ b/profile.php @@ -36,6 +36,11 @@ if (!defined('PHPWG_ROOT_PATH')) // +-----------------------------------------------------------------------+ check_status(ACCESS_CLASSIC); + if (!empty($_POST)) + { + check_pwg_token(); + } + $userdata = $user; trigger_action('loc_begin_profile'); @@ -289,6 +294,7 @@ function load_profile_in_template($url_action, $url_redirect, $userdata) // allow plugins to add their own form data to content trigger_action( 'load_profile_in_template', $userdata ); + $template->assign('PWG_TOKEN', get_pwg_token()); $template->assign_var_from_handle('PROFILE_CONTENT', 'profile_content'); } ?> -- cgit v1.2.3