From 9340fddbac59a2aab12dd0fa0e122b4d7c3bf0c8 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Fri, 17 Sep 2021 08:55:49 +0200 Subject: Add CSRF checks for edit concert form. --- includes/admin/views/_edit_concert_form.php | 1 + includes/admin/views/giglog_admin_page.php | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/includes/admin/views/_edit_concert_form.php b/includes/admin/views/_edit_concert_form.php index 32ca762..61f2bf4 100644 --- a/includes/admin/views/_edit_concert_form.php +++ b/includes/admin/views/_edit_concert_form.php @@ -48,6 +48,7 @@ if (!class_exists("GiglogAdmin_EditConcertForm")) $content='

Form to create/edit concerts and venues


'; $content.='
' .'
CONCERT DETAILS

' + . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_edit_concert_nonce' ) .'' .'
' .'' . $this->get_venue_selector($c->venue()) . '
' diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php index 86c414e..fa853fb 100644 --- a/includes/admin/views/giglog_admin_page.php +++ b/includes/admin/views/giglog_admin_page.php @@ -121,8 +121,15 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) { } } - if(isset($_POST['editconcert'])) + if (isset($_POST['editconcert'])) { + if (!isset($_POST['giglog_edit_concert_nonce']) + || wp_verify_nonce($_POST['giglog_edit_concert_nonce'], plugin_basename( __FILE__ ))) + { + header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden"); + wp_die('CSRF validation failed.', 403); + } + $roles = array_reduce( ['photo1', 'photo1', 'rev1', 'rev2'], function($roles, $r) { -- cgit v1.2.3