From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty

---
 interface/web/admin/language_add.php |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php
index 8c488c3..f58a2db 100644
--- a/interface/web/admin/language_add.php
+++ b/interface/web/admin/language_add.php
@@ -65,6 +65,10 @@
 $app->tpl->setVar('error', $error);
 
 if(isset($_POST['lng_new']) && strlen($_POST['lng_new']) == 2 && $error == '') {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$lng_new = $_POST['lng_new'];
 	if(!preg_match("/^[a-z]{2}$/i", $lng_new)) die('unallowed characters in language name.');
 
@@ -94,6 +98,11 @@
 
 $app->tpl->setVar('msg', $msg);
 
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('language_add');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
+
 //* load language file
 $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng';
 include $lng_file;

--
Gitblit v1.9.1