public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-13 21:45:55 +00:00
Code Issues Releases Wiki Activity

fix OTP QR code not displayed because of CSRF token passed as a query

Browse Source 
parameter
use type-strict comparison when validating CSRF token on the backend
This commit is contained in:
Andrew Dolgov
2020-09-17 08:43:39 +03:00
parent 6a4b6cf603
commit 1f79d614c4
3 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
classes/handler/public.php
View File

@@ -283,9 +283,12 @@ class Handler_Public extends Handler {
}
function logout() {
if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) {
if (validate_csrf($_POST["csrf_token"])) {
logout_user();
header("Location: index.php");
} else {
header("Content-Type: text/json");
print error_json(6);
}
}
@@ -777,7 +780,7 @@ class Handler_Public extends Handler {
<div class='content'>
<?php
if (!$feed_url || $csrf_token != $_SESSION["csrf_token"]) {
if (!$feed_url || !validate_csrf($csrf_token)) {
?>
<form method="post">
<input type="hidden" name="op" value="subscribe">