fixed potential vulnerability in form CRSF handling, thanks Anthony
This commit is contained in:
@@ -1 +1 @@
|
||||
Version 2.4.6-stable+timestamp.2013.04.28.17.31.30
|
||||
Version 2.4.6-stable+timestamp.2013.04.28.23.04.43
|
||||
|
||||
+1
-1
@@ -1992,7 +1992,7 @@ class FORM(DIV):
|
||||
status = True
|
||||
changed = False
|
||||
request_vars = self.request_vars
|
||||
if session:
|
||||
if session is not None:
|
||||
formkey = session.get('_formkey[%s]' % formname, None)
|
||||
# check if user tampering with form and void CSRF
|
||||
if formkey != request_vars._formkey:
|
||||
|
||||
Reference in New Issue
Block a user