Fix CSRF not being checked in collection-edit.php

2026-06-17 06:20:45 +00:00 · 2019-12-06 09:30:16 +01:00 · 2019-12-06 09:30:16 +01:00 · c8a0ca4531
commit c8a0ca4531
parent a3acb770ac
1 changed files with 6 additions and 0 deletions
--- a/inc/ui/collection-edit.php
+++ b/inc/ui/collection-edit.php
@ -66,6 +66,12 @@ if ( isset($privsql) ) {
  $can_write_collection = ($session->AllowedTo('Admin') || (bindec($permissions->priv) & privilege_to_bits('DAV::bind')) );
 }

+// Verify CSRF token
+if($_SERVER['REQUEST_METHOD'] === "POST" && !verifyCsrfPost()) {
+    $c->messages[] = i18n("A valid CSRF token must be provided");
+    $can_write_collection = false;
+}
+
 dbg_error_log('collection-edit', "Can write collection: %s", ($can_write_collection? 'yes' : 'no') );

 $pwstars = '@@@@@@@@@@';