CSRF for file configuration URL

LiveHelperChat · Jan 14, 2022 · 6ad1349 · 6ad1349
1 parent f59ffb0
commit 6ad1349
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php b/lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php
@@ -10,6 +10,8 @@
 
 <form action="" ng-non-bindable method="post">
 
+    <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?>
+
     <div class="row">
         <div class="col-6">
             <div class="form-group">

diff --git a/lhc_web/modules/lhfile/configuration.php b/lhc_web/modules/lhfile/configuration.php
@@ -7,6 +7,12 @@
 
 
 if (isset($_POST['StoreFileConfiguration'])) {
+
+    if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
+        erLhcoreClassModule::redirect('file/configuration');
+        exit;
+    }
+
     $definition = array(
         'AllowedFileTypes' => new ezcInputFormDefinitionElement(
             ezcInputFormDefinitionElement::OPTIONAL, 'string'