From f663d5f74e4dbc71ee4b1db76b7b7d026bd95539 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sun, 5 Sep 2021 21:18:23 +0200
Subject: security: Add proper CSRF checking for the import_gigs form.

---
 includes/admin/views/giglog_import_gigs.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/includes/admin/views/giglog_import_gigs.php b/includes/admin/views/giglog_import_gigs.php
index 4bd59da..193cd9e 100644
--- a/includes/admin/views/giglog_import_gigs.php
+++ b/includes/admin/views/giglog_import_gigs.php
@@ -27,9 +27,13 @@ if ( !class_exists( 'GiglogAdmin_ImportGigsPage' ) ) {
 
         static function submit_form(): void {
             if ('POST' === $_SERVER['REQUEST_METHOD'] && current_user_can('upload_files') && !empty($_FILES['giglog_import_file']['tmp_name'])) {
-                $nonce = $_POST['giglog_import_nonce'];
-                $valid_nonce = isset($nonce) && wp_verify_nonce($nonce);
-                GiglogAdmin_ImportGigsPage::process_upload($_FILES['giglog_import_file']);
+                if (isset($_POST['giglog_import_nonce']) && wp_verify_nonce($_POST['giglog_import_nonce'], plugin_basename( __FILE__ )) ) {
+                    GiglogAdmin_ImportGigsPage::process_upload($_FILES['giglog_import_file']);
+                }
+                else {
+                    header('HTTP/1.1 400 Bad Request');
+                    wp_die('Bad request', 400);
+                }
             }
         }
 
-- 
cgit v1.2.3