mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-04-14 12:52:08 +02:00
Code Issues Releases Wiki Activity

Merge pull request #59 from phpbb/ticket/security-249

Browse Source 
[ticket/security-249] Do not handle avatar submit on invalid token
This commit is contained in:
Marc Alexander 2020-01-03 17:18:54 +01:00
commit 03757a0663
No known key found for this signature in database
GPG Key ID: 50E0D2423696F995
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
phpBB/includes/ucp/ucp_groups.php
View File

@ -534,7 +534,12 @@ class ucp_groups
'teampage' => $group_row['group_teampage'],
);
if ($config['allow_avatar'])
if (!check_form_key('ucp_groups'))
{
$error[] = $user->lang['FORM_INVALID'];
}
if (!count($error) && $config['allow_avatar'])
{
// Handle avatar
$driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', ''));
@ -556,11 +561,6 @@ class ucp_groups
$error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error));
}
if (!check_form_key('ucp_groups'))
{
$error[] = $user->lang['FORM_INVALID'];
}
// Validate submitted colour value
if ($colour_error = validate_data($submit_ary, array('colour' => array('hex_colour', true))))
{