Avoid CSRF in users CSV import

author: Frédéric Guillot <fred@kanboard.net> 2019-01-31 20:06:49 -0800
committer: Frédéric Guillot <fred@kanboard.net> 2019-01-31 20:06:49 -0800
commit: 061ba4abe179829d7d0acd3422a16110dbc91da5 (patch)
tree: 895c45a3ecdd6b341c19cf7b5acde3bf0c196016
parent: 928f80d569141601c4d8f6652b2ac0a2497c7be4 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app/Controller/UserImportController.php b/app/Controller/UserImportController.php
index 6a9d5992..e878e605 100644
--- a/app/Controller/UserImportController.php
+++ b/app/Controller/UserImportController.php
@@ -3,6 +3,7 @@
 namespace Kanboard\Controller;
 
 use Kanboard\Core\Csv;
+use Kanboard\Core\Controller\AccessForbiddenException;
 
 /**
  * User Import controller
@@ -35,6 +36,12 @@ class UserImportController extends BaseController
     public function save()
     {
         $values = $this->request->getValues();
+
+        // Note: $values is empty when the CSRF token is invalid.
+        if (empty($values)) {
+            throw new AccessForbiddenException();
+        }
+
         $filename = $this->request->getFilePath('file');
 
         if (! file_exists($filename)) {
author	Frédéric Guillot <fred@kanboard.net>	2019-01-31 20:06:49 -0800
committer	Frédéric Guillot <fred@kanboard.net>	2019-01-31 20:06:49 -0800
commit	061ba4abe179829d7d0acd3422a16110dbc91da5 (patch)
tree	895c45a3ecdd6b341c19cf7b5acde3bf0c196016
parent	928f80d569141601c4d8f6652b2ac0a2497c7be4 (diff)