aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2024-11-02 14:42:00 +0000
committerMario <mario@mariovavti.com>2024-11-02 14:42:00 +0000
commit38c947590e81fbb00e315e1902eba8dd6dbdd0ec (patch)
treeb92d257beb82024c03f21f783c37169db9ec64c9 /Zotlabs
parent541a0f6476ebf178ac141d09a30f6fca824eebcb (diff)
downloadvolse-hubzilla-38c947590e81fbb00e315e1902eba8dd6dbdd0ec.tar.gz
volse-hubzilla-38c947590e81fbb00e315e1902eba8dd6dbdd0ec.tar.bz2
volse-hubzilla-38c947590e81fbb00e315e1902eba8dd6dbdd0ec.zip
Fix missing CSRF checks in admin/account_edit
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Module/Admin/Account_edit.php11
1 files changed, 8 insertions, 3 deletions
diff --git a/Zotlabs/Module/Admin/Account_edit.php b/Zotlabs/Module/Admin/Account_edit.php
index 0300fb10c..35a15133f 100644
--- a/Zotlabs/Module/Admin/Account_edit.php
+++ b/Zotlabs/Module/Admin/Account_edit.php
@@ -8,6 +8,11 @@ class Account_edit {
function post() {
+ // Validate CSRF token
+ //
+ // We terminate with a 403 Forbidden status if the check fails.
+ check_form_security_token_ForbiddenOnErr('admin_account_edit', 'security');
+
$account_id = $_REQUEST['aid'];
if(! $account_id)
@@ -18,7 +23,7 @@ class Account_edit {
if($pass1 && $pass2 && ($pass1 === $pass2)) {
$salt = random_string(32);
$password_encoded = hash('whirlpool', $salt . $pass1);
- $r = q("update account set account_salt = '%s', account_password = '%s',
+ $r = q("update account set account_salt = '%s', account_password = '%s',
account_password_changed = '%s' where account_id = %d",
dbesc($salt),
dbesc($password_encoded),
@@ -34,7 +39,7 @@ class Account_edit {
$account_level = 5;
$account_language = trim($_REQUEST['account_language']);
- $r = q("update account set account_service_class = '%s', account_level = %d, account_language = '%s'
+ $r = q("update account set account_service_class = '%s', account_level = %d, account_language = '%s'
where account_id = %d",
dbesc($service_class),
intval($account_level),
@@ -62,8 +67,8 @@ class Account_edit {
return '';
}
-
$a = replace_macros(get_markup_template('admin_account_edit.tpl'), [
+ '$security' => get_form_security_token('admin_account_edit'),
'$account' => $x[0],
'$title' => t('Account Edit'),
'$pass1' => [ 'pass1', t('New Password'), ' ','' ],