makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 22:28:51 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #59 from phpbb/ticket/security-249

Browse source 
[ticket/security-249] Do not handle avatar submit on invalid token
This commit is contained in:
Marc Alexander 2020-01-03 17:18:54 +01:00
commit 03757a0663
No known key found for this signature in database
GPG key ID: 50E0D2423696F995
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
phpBB/includes/ucp/ucp_groups.php
View file

@ -534,7 +534,12 @@ class ucp_groups
'teampage' => $group_row['group_teampage'], 'teampage' => $group_row['group_teampage'],
); );
if ($config['allow_avatar']) if (!check_form_key('ucp_groups'))
{
$error[] = $user->lang['FORM_INVALID'];
}
if (!count($error) && $config['allow_avatar'])
{ {
// Handle avatar // Handle avatar
$driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', '')); $driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', ''));
@ -556,11 +561,6 @@ class ucp_groups
$error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error)); $error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error));
} }
if (!check_form_key('ucp_groups'))
{
$error[] = $user->lang['FORM_INVALID'];
}
// Validate submitted colour value // Validate submitted colour value
if ($colour_error = validate_data($submit_ary, array('colour' => array('hex_colour', true)))) if ($colour_error = validate_data($submit_ary, array('colour' => array('hex_colour', true))))
{ {