summaryrefslogtreecommitdiffstats
path: root/includes
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2021-09-05 21:18:23 +0200
committerHarald Eilertsen <haraldei@anduin.net>2021-09-05 21:18:23 +0200
commitf663d5f74e4dbc71ee4b1db76b7b7d026bd95539 (patch)
tree2027f0f5a6782b01979fe236800bd00e1dc5a11b /includes
parentd64056a7d5a5fcbd3503686fd515d57bb6f40568 (diff)
downloadgigologadmin-f663d5f74e4dbc71ee4b1db76b7b7d026bd95539.tar.gz
gigologadmin-f663d5f74e4dbc71ee4b1db76b7b7d026bd95539.tar.bz2
gigologadmin-f663d5f74e4dbc71ee4b1db76b7b7d026bd95539.zip
security: Add proper CSRF checking for the import_gigs form.
Diffstat (limited to 'includes')
-rw-r--r--includes/admin/views/giglog_import_gigs.php10
1 files changed, 7 insertions, 3 deletions
diff --git a/includes/admin/views/giglog_import_gigs.php b/includes/admin/views/giglog_import_gigs.php
index 4bd59da..193cd9e 100644
--- a/includes/admin/views/giglog_import_gigs.php
+++ b/includes/admin/views/giglog_import_gigs.php
@@ -27,9 +27,13 @@ if ( !class_exists( 'GiglogAdmin_ImportGigsPage' ) ) {
static function submit_form(): void {
if ('POST' === $_SERVER['REQUEST_METHOD'] && current_user_can('upload_files') && !empty($_FILES['giglog_import_file']['tmp_name'])) {
- $nonce = $_POST['giglog_import_nonce'];
- $valid_nonce = isset($nonce) && wp_verify_nonce($nonce);
- GiglogAdmin_ImportGigsPage::process_upload($_FILES['giglog_import_file']);
+ if (isset($_POST['giglog_import_nonce']) && wp_verify_nonce($_POST['giglog_import_nonce'], plugin_basename( __FILE__ )) ) {
+ GiglogAdmin_ImportGigsPage::process_upload($_FILES['giglog_import_file']);
+ }
+ else {
+ header('HTTP/1.1 400 Bad Request');
+ wp_die('Bad request', 400);
+ }
}
}