From c8a0ca4531da2acaeaa702c6a71ec713e4678123 Mon Sep 17 00:00:00 2001
From: nielsvangijzen <n.van.gijzen@gmail.com>
Date: Fri, 6 Dec 2019 09:30:16 +0100
Subject: [PATCH] Fix CSRF not being checked in collection-edit.php

---
 inc/ui/collection-edit.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/inc/ui/collection-edit.php b/inc/ui/collection-edit.php
index 2aebf52c..81bffb0b 100644
--- a/inc/ui/collection-edit.php
+++ b/inc/ui/collection-edit.php
@@ -66,6 +66,12 @@ if ( isset($privsql) ) {
   $can_write_collection = ($session->AllowedTo('Admin') || (bindec($permissions->priv) & privilege_to_bits('DAV::bind')) );
 }
 
+// Verify CSRF token
+if($_SERVER['REQUEST_METHOD'] === "POST" && !verifyCsrfPost()) {
+    $c->messages[] = i18n("A valid CSRF token must be provided");
+    $can_write_collection = false;
+}
+
 dbg_error_log('collection-edit', "Can write collection: %s", ($can_write_collection? 'yes' : 'no') );
 
 $pwstars = '@@@@@@@@@@';