Merge pull request #24 from phpbb/ticket/security-188

[ticket/security-188] Check form key in acp_bbcodes
2025-06-28 06:08:52 +00:00 · 2016-01-09 09:13:50 +01:00 · 2016-01-09 09:13:50 +01:00 · c2d59b3352
commit c2d59b3352
parent 80c32fb7ef 87345807de
2 changed files with 6 additions and 2 deletions
--- a/phpBB/includes/acp/acp_bbcodes.php
+++ b/phpBB/includes/acp/acp_bbcodes.php
@ -33,6 +33,7 @@ class acp_bbcodes
 		// Set up general vars
 		$action	= request_var('action', '');
 		$bbcode_id = request_var('bbcode', 0);
+		$submit = $request->is_set_post('submit');

 		$this->tpl_name = 'acp_bbcodes';
 		$this->page_title = 'ACP_BBCODES';
@ -40,6 +41,11 @@ class acp_bbcodes

 		add_form_key($form_key);

+		if ($submit && !check_form_key($form_key))
+		{
+			trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+		}
+
 		// Set up mode-specific vars
 		switch ($action)
 		{
--- a/phpBB/includes/acp/acp_extensions.php
+++ b/phpBB/includes/acp/acp_extensions.php
@ -121,8 +121,6 @@ class acp_extensions
 					'U_ACTION' 				=> $this->u_action,
 				));

-				add_form_key('version_check_settings');
-
 				$this->tpl_name = 'acp_ext_list';
 			break;