summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorFrédéric Guillot <fred@kanboard.net>2018-01-29 11:31:54 -0800
committerFrédéric Guillot <fred@kanboard.net>2018-01-29 11:31:54 -0800
commit357316cdf956b83df890b7bc14b772f49159c3df (patch)
tree3c58dd9e5cfbef64c135bfa662b296489dd89993 /app
parent573754c450211a57a1c3939d5d0326570f5efa58 (diff)
Add missing CSRF check in saveUploadDB() method
Diffstat (limited to 'app')
-rw-r--r--app/Controller/ConfigController.php1
-rw-r--r--app/Template/config/upload_db.php4
2 files changed, 2 insertions, 3 deletions
diff --git a/app/Controller/ConfigController.php b/app/Controller/ConfigController.php
index 2ea04b35..fcdd6972 100644
--- a/app/Controller/ConfigController.php
+++ b/app/Controller/ConfigController.php
@@ -199,6 +199,7 @@ class ConfigController extends BaseController
*/
public function saveUploadedDb()
{
+ $this->checkCSRFParam();
$filename = $this->request->getFilePath('file');
if (!file_exists($filename) || !$this->configModel->uploadDatabase($filename)) {
diff --git a/app/Template/config/upload_db.php b/app/Template/config/upload_db.php
index b247cf75..efc8eb28 100644
--- a/app/Template/config/upload_db.php
+++ b/app/Template/config/upload_db.php
@@ -8,9 +8,7 @@
</p>
</div>
-<form action="<?= $this->url->href('ConfigController', 'saveUploadedDb') ?>" method="post" enctype="multipart/form-data">
- <?= $this->form->csrf() ?>
-
+<form action="<?= $this->url->href('ConfigController', 'saveUploadedDb', [], true) ?>" method="post" enctype="multipart/form-data">
<?= $this->form->label(t('Database file'), 'file') ?>
<?= $this->form->file('file') ?>