From 54211267437a7f9f6b648f811b87b8b1f030e32c Mon Sep 17 00:00:00 2001
From: nikrou <nikrou@piwigo.org>
Date: Mon, 13 Sep 2010 19:40:42 +0000
Subject: Fix bug 1856 : CSRF issue that allow to change admin password

git-svn-id: http://piwigo.org/svn/trunk@6897 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 profile.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'profile.php')

diff --git a/profile.php b/profile.php
index fbbe46df1..547fc8ba1 100644
--- a/profile.php
+++ b/profile.php
@@ -36,6 +36,11 @@ if (!defined('PHPWG_ROOT_PATH'))
   // +-----------------------------------------------------------------------+
   check_status(ACCESS_CLASSIC);
 
+  if (!empty($_POST))
+  {
+    check_pwg_token();
+  }
+
   $userdata = $user;
 
   trigger_action('loc_begin_profile');
@@ -289,6 +294,7 @@ function load_profile_in_template($url_action, $url_redirect, $userdata)
   // allow plugins to add their own form data to content
   trigger_action( 'load_profile_in_template', $userdata );
 
+  $template->assign('PWG_TOKEN', get_pwg_token());
   $template->assign_var_from_handle('PROFILE_CONTENT', 'profile_content');
 }
 ?>
-- 
cgit v1.2.3