From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001 From: Marius Cramer <m.cramer@pixcept.de> Date: Thu, 06 Aug 2015 03:18:44 -0400 Subject: [PATCH] - don't set password via remoting if field is empty --- interface/web/admin/language_add.php | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php index 8c488c3..f58a2db 100644 --- a/interface/web/admin/language_add.php +++ b/interface/web/admin/language_add.php @@ -65,6 +65,10 @@ $app->tpl->setVar('error', $error); if(isset($_POST['lng_new']) && strlen($_POST['lng_new']) == 2 && $error == '') { + + //* CSRF Check + $app->auth->csrf_token_check(); + $lng_new = $_POST['lng_new']; if(!preg_match("/^[a-z]{2}$/i", $lng_new)) die('unallowed characters in language name.'); @@ -94,6 +98,11 @@ $app->tpl->setVar('msg', $msg); +//* SET csrf token +$csrf_token = $app->auth->csrf_token_get('language_add'); +$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); +$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); + //* load language file $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng'; include $lng_file; -- Gitblit v1.9.1