- backend: require CSRF token to be passed via POST

- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
author: Andrew Dolgov <[email protected]> 2020-09-15 16:12:53 +0300
committer: Andrew Dolgov <[email protected]> 2020-09-15 16:12:53 +0300
commit: 8080c525fd453bfba9c35f01a08013e148bb2144 (patch)
tree: d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /classes/feeds.php
parent: aeaafefa07b31c99efd27653ad22f4040572d441 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/classes/feeds.php b/classes/feeds.php
index 58ba1b6f8..71890f6ab 100755
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -751,7 +751,7 @@ class Feeds extends Handler_Protected {
 
 		$feed_id = (int)$_REQUEST["feed_id"];
 		@$do_update = $_REQUEST["action"] == "do_update";
-		$csrf_token = $_REQUEST["csrf_token"];
+		$csrf_token = $_POST["csrf_token"];
 
 		$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?");
 		$sth->execute([$feed_id, $_SESSION['uid']]);
@@ -799,7 +799,7 @@ class Feeds extends Handler_Protected {
 			<div class="container">
 				<h1>Feed Debugger: <?php echo "$feed_id: " . $this->getFeedTitle($feed_id) ?></h1>
 				<div class="content">
-					<form method="GET" action="">
+					<form method="post" action="">
 						<input type="hidden" name="op" value="feeds">
 						<input type="hidden" name="method" value="update_debugger">
 						<input type="hidden" name="xdebug" value="1">
author	Andrew Dolgov <[email protected]>	2020-09-15 16:12:53 +0300
committer	Andrew Dolgov <[email protected]>	2020-09-15 16:12:53 +0300
commit	8080c525fd453bfba9c35f01a08013e148bb2144 (patch)
tree	d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /classes/feeds.php
parent	aeaafefa07b31c99efd27653ad22f4040572d441 (diff)