diff options
author | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
commit | 8080c525fd453bfba9c35f01a08013e148bb2144 (patch) | |
tree | d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /classes/feeds.php | |
parent | aeaafefa07b31c99efd27653ad22f4040572d441 (diff) |
- backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
Diffstat (limited to 'classes/feeds.php')
-rwxr-xr-x | classes/feeds.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/classes/feeds.php b/classes/feeds.php index 58ba1b6f8..71890f6ab 100755 --- a/classes/feeds.php +++ b/classes/feeds.php @@ -751,7 +751,7 @@ class Feeds extends Handler_Protected { $feed_id = (int)$_REQUEST["feed_id"]; @$do_update = $_REQUEST["action"] == "do_update"; - $csrf_token = $_REQUEST["csrf_token"]; + $csrf_token = $_POST["csrf_token"]; $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); $sth->execute([$feed_id, $_SESSION['uid']]); @@ -799,7 +799,7 @@ class Feeds extends Handler_Protected { <div class="container"> <h1>Feed Debugger: <?php echo "$feed_id: " . $this->getFeedTitle($feed_id) ?></h1> <div class="content"> - <form method="GET" action=""> + <form method="post" action=""> <input type="hidden" name="op" value="feeds"> <input type="hidden" name="method" value="update_debugger"> <input type="hidden" name="xdebug" value="1"> |