diff options
author | mensonge <mensonge@b3834d28-1941-0410-a4f8-b48e95affb8f> | 2008-11-27 10:31:03 +0000 |
---|---|---|
committer | mensonge <mensonge@b3834d28-1941-0410-a4f8-b48e95affb8f> | 2008-11-27 10:31:03 +0000 |
commit | 96dfa82af5d9fd27b87eeef0ba877b022845e240 (patch) | |
tree | ed3907dd370a8bdb818f14bf42958f2322768964 /admin.php | |
parent | ed4760018fe8a60ab89e4bab58fde04faa4ccd0e (diff) | |
download | semanticscuttle-96dfa82af5d9fd27b87eeef0ba877b022845e240.tar.gz semanticscuttle-96dfa82af5d9fd27b87eeef0ba877b022845e240.tar.bz2 |
Bug fix: correct CSRF protection
git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@178 b3834d28-1941-0410-a4f8-b48e95affb8f
Diffstat (limited to 'admin.php')
-rw-r--r-- | admin.php | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -44,11 +44,10 @@ if ( !$currentUser->isAdmin() ) { exit();
}
-@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL;
- +@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL; if ( $action -&& strpos($_SERVER['HTTP_REFERER'], ROOT.'/admin.php') == 0 // Prevent CSRF attacks +&& strpos($_SERVER['HTTP_REFERER'], ROOT.'admin.php') === 0 // Prevent CSRF attacks ) {
switch ( $action ) {
case 'delete':
|