diff options
author | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
commit | 8080c525fd453bfba9c35f01a08013e148bb2144 (patch) | |
tree | d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /classes/handler | |
parent | aeaafefa07b31c99efd27653ad22f4040572d441 (diff) |
- backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
Diffstat (limited to 'classes/handler')
-rwxr-xr-x | classes/handler/public.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php index 7f8d01ad0..e4199a95e 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -291,7 +291,7 @@ class Handler_Public extends Handler { $uuid = clean($_REQUEST["key"]); if ($uuid) { - $sth = $this->pdo->prepare("SELECT ref_id, owner_uid + $sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE uuid = ?"); $sth->execute([$uuid]); @@ -366,7 +366,7 @@ class Handler_Public extends Handler { } body.css_loading * { display : none; - } + } </style> <link rel='shortcut icon' type='image/png' href='images/favicon.png'> <link rel='icon' type='image/png' sizes='72x72' href='images/favicon-72px.png'>"; @@ -728,7 +728,7 @@ class Handler_Public extends Handler { if ($_SESSION["uid"]) { $feed_url = trim(clean($_REQUEST["feed_url"])); - $csrf_token = clean($_REQUEST["csrf_token"]); + $csrf_token = clean($_POST["csrf_token"]); header('Content-Type: text/html; charset=utf-8'); ?> |