From da98ba662ea2af58c27eadecf444537ea07a04c7 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 14 Sep 2020 20:21:22 +0300
Subject: public/subscribe: require valid CSRF token when validating the form

---
 classes/handler/public.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'classes/handler')

diff --git a/classes/handler/public.php b/classes/handler/public.php
index 135cdcbc7..7f8d01ad0 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -728,6 +728,7 @@ class Handler_Public extends Handler {
 		if ($_SESSION["uid"]) {
 
 			$feed_url = trim(clean($_REQUEST["feed_url"]));
+			$csrf_token = clean($_REQUEST["csrf_token"]);
 
 			header('Content-Type: text/html; charset=utf-8');
 			?>
@@ -774,10 +775,11 @@ class Handler_Public extends Handler {
 			<div class='content'>
 			<?php
 
-			if (!$feed_url) {
+			if (!$feed_url || $csrf_token != $_SESSION["csrf_token"]) {
 				?>
 				<form method="post">
 					<input type="hidden" name="op" value="subscribe">
+					<?php print_hidden("csrf_token", $_SESSION["csrf_token"]) ?>
 					<fieldset>
 						<label>Feed or site URL:</label>
 						<input style="width: 300px" dojoType="dijit.form.ValidationTextBox" required="1" name="feed_url">
@@ -820,6 +822,7 @@ class Handler_Public extends Handler {
 
 					print "<form action='public.php'>";
 					print "<input type='hidden' name='op' value='subscribe'>";
+					print_hidden("csrf_token", $_SESSION["csrf_token"]);
 
 					print "<fieldset>";
 					print "<label style='display : inline'>" . __("Multiple feed URLs found:") . "</label>";
-- 
cgit v1.2.3