github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-14 02:28:05 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add the validation of the CSRF token. It is missing in some cases when it is sent by GET or POST.

Browse source
This commit is contained in:
Sergio 2019-04-21 00:11:36 +02:00
commit 7603cdea7a
9 changed files with 49 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
web/update/vesta/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin') {
if (!empty($_GET['pkg'])) {
$v_pkg = escapeshellarg($_GET['pkg']);