From 81736a01299f7c963e361e9b192df074999d16d8 Mon Sep 17 00:00:00 2001 From: Klaus Weidenbach Date: Wed, 29 Mar 2017 23:53:03 +0200 Subject: :lock: Add CSRF protection for import and import_items. --- Zotlabs/Module/Import.php | 3 +++ Zotlabs/Module/Import_items.php | 3 +++ 2 files changed, 6 insertions(+) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Import.php b/Zotlabs/Module/Import.php index b98c9be9b..54bc7de81 100644 --- a/Zotlabs/Module/Import.php +++ b/Zotlabs/Module/Import.php @@ -478,6 +478,8 @@ class Import extends \Zotlabs\Web\Controller { if(! $account_id) return; + check_form_security_token_redirectOnErr('/import', 'channel_import'); + $this->import_account($account_id); } @@ -508,6 +510,7 @@ class Import extends \Zotlabs\Web\Controller { '$pleasewait' => t('This process may take several minutes to complete. Please submit the form only once and leave this page open until finished.'), '$email' => '', '$pass' => '', + '$form_security_token' => get_form_security_token('channel_import'), '$submit' => t('Submit') )); diff --git a/Zotlabs/Module/Import_items.php b/Zotlabs/Module/Import_items.php index 133e37d9e..c2b2506fe 100644 --- a/Zotlabs/Module/Import_items.php +++ b/Zotlabs/Module/Import_items.php @@ -15,6 +15,8 @@ class Import_items extends \Zotlabs\Web\Controller { if(! local_channel()) return; + check_form_security_token_redirectOnErr('/import_items', 'import_items'); + $data = null; $src = $_FILES['filename']['tmp_name']; @@ -123,6 +125,7 @@ class Import_items extends \Zotlabs\Web\Controller { '$title' => t('Import Items'), '$desc' => t('Use this form to import existing posts and content from an export file.'), '$label_filename' => t('File to Upload'), + '$form_security_token' => get_form_security_token('import_items'), '$submit' => t('Submit') )); -- cgit v1.2.3