From: Andrew Dolgov Date: Mon, 26 Dec 2011 08:02:52 +0000 (+0400) Subject: experimental CSRF protection X-Git-Tag: 1.5.9~53 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=8484ce22584b8714622833adcc7ebfe3ef9cf90e;p=tt-rss.git experimental CSRF protection --- diff --git a/backend.php b/backend.php index 1805ce36..2e4da500 100644 --- a/backend.php +++ b/backend.php @@ -1,5 +1,5 @@ before($method)) { - if ($method && method_exists($handler, $method)) { - $handler->$method(); - } else if (method_exists($handler, 'index')) { - $handler->index(); + if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) { + if ($handler->before($method)) { + if ($method && method_exists($handler, $method)) { + $handler->$method(); + } + $handler->after(); + return; } - $handler->after(); + } else { + header("Content-Type: text/plain"); + print json_encode(array("error" => array("code" => 6))); return; } } diff --git a/classes/article.php b/classes/article.php index 90ca129b..30f0c7d1 100644 --- a/classes/article.php +++ b/classes/article.php @@ -1,6 +1,12 @@ args = $args; } + function csrf_ignore($method) { + return true; + } + function before() { return true; } diff --git a/classes/pref_feeds.php b/classes/pref_feeds.php index 5df5eb93..b83abd78 100644 --- a/classes/pref_feeds.php +++ b/classes/pref_feeds.php @@ -1,5 +1,12 @@ "; diff --git a/classes/pref_filters.php b/classes/pref_filters.php index d953a8d1..4ab12410 100644 --- a/classes/pref_filters.php +++ b/classes/pref_filters.php @@ -1,6 +1,12 @@