From 6c8d0063368a1815a270d97dc0defdee0f6bf027 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 1 Jul 2019 20:56:17 +0200 Subject: [PATCH] [ticket/security/244] Add parse_attachment form token check to posting.php SECURITY-244 --- phpBB/posting.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/phpBB/posting.php b/phpBB/posting.php index 5089448483..595d0f0c06 100644 --- a/phpBB/posting.php +++ b/phpBB/posting.php @@ -974,7 +974,10 @@ if ($submit || $preview || $refresh) } // Parse Attachments - before checksum is calculated - $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh); + if ($message_parser->check_attachment_form_token($language, $request, 'posting')) + { + $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh); + } /** * This event allows you to modify message text before parsing