diff options
author | Andrew Dolgov <[email protected]> | 2021-02-17 14:05:12 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2021-02-17 14:05:12 +0300 |
commit | d439685895d397581434b74a29713ebefa01e598 (patch) | |
tree | f3fcd195a6cc7ea2a1f4da1ca33cdc1bcc00adaf | |
parent | 00b31c3f53db740984220bd9a745f76032890bea (diff) |
pluginhandlers: post notice if pluginmethod is requested without CSRF token
-rw-r--r-- | classes/pluginhandler.php | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php index 9682e440f..3fd823aa8 100644 --- a/classes/pluginhandler.php +++ b/classes/pluginhandler.php @@ -7,16 +7,22 @@ class PluginHandler extends Handler_Protected { function catchall($method) { $plugin_name = clean($_REQUEST["plugin"]); $plugin = PluginHost::getInstance()->get_plugin($plugin_name); + $csrf_token = ($_POST["csrf_token"] ?? ""); if ($plugin) { if (method_exists($plugin, $method)) { - $plugin->$method(); + if (validate_csrf($csrf_token)) { + $plugin->$method(); + } else { + user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED); + $plugin->$method(); + } } else { - user_error("PluginHandler: Requested unknown method '$method' of plugin '$plugin_name'.", E_USER_WARNING); + user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING); print error_json(13); } } else { - user_error("PluginHandler: Requested method '$method' of unknown plugin '$plugin_name'.", E_USER_WARNING); + user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING); print error_json(14); } } |