Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-13218

Missing token check in acp_styles

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.1.0-RC6
    • 3.1.0-RC5
    • ACP
    • None

      There's a an issue on the activate/deactive/install actions in the styles management page using a POST request. The uninstall action uses a confirmation box in the subsequent page, so that doesn't seem affected. GET requests are checked for validity using check_link_hash(), however, POST requests fail to use check_form_key(). Relevant code below:

      		$post_actions = array('install', 'activate', 'deactivate', 'uninstall');
       
      		if ($action && in_array($action, $post_actions) && !check_link_hash($request->variable('hash', ''), $action))
      		{
      			trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
      		}
       
      		foreach ($post_actions as $key)
      		{
      			if ($this->request->is_set_post($key))
      			{
      				$action = $key;
      			}
      		}
      

            prototech prototech [X] (Inactive)
            prototech prototech [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: