diff options
author | Frédéric Guillot <fred@kanboard.net> | 2018-01-29 11:31:54 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@kanboard.net> | 2018-01-29 11:31:54 -0800 |
commit | 357316cdf956b83df890b7bc14b772f49159c3df (patch) | |
tree | 3c58dd9e5cfbef64c135bfa662b296489dd89993 /app | |
parent | 573754c450211a57a1c3939d5d0326570f5efa58 (diff) |
Add missing CSRF check in saveUploadDB() method
Diffstat (limited to 'app')
-rw-r--r-- | app/Controller/ConfigController.php | 1 | ||||
-rw-r--r-- | app/Template/config/upload_db.php | 4 |
2 files changed, 2 insertions, 3 deletions
diff --git a/app/Controller/ConfigController.php b/app/Controller/ConfigController.php index 2ea04b35..fcdd6972 100644 --- a/app/Controller/ConfigController.php +++ b/app/Controller/ConfigController.php @@ -199,6 +199,7 @@ class ConfigController extends BaseController */ public function saveUploadedDb() { + $this->checkCSRFParam(); $filename = $this->request->getFilePath('file'); if (!file_exists($filename) || !$this->configModel->uploadDatabase($filename)) { diff --git a/app/Template/config/upload_db.php b/app/Template/config/upload_db.php index b247cf75..efc8eb28 100644 --- a/app/Template/config/upload_db.php +++ b/app/Template/config/upload_db.php @@ -8,9 +8,7 @@ </p> </div> -<form action="<?= $this->url->href('ConfigController', 'saveUploadedDb') ?>" method="post" enctype="multipart/form-data"> - <?= $this->form->csrf() ?> - +<form action="<?= $this->url->href('ConfigController', 'saveUploadedDb', [], true) ?>" method="post" enctype="multipart/form-data"> <?= $this->form->label(t('Database file'), 'file') ?> <?= $this->form->file('file') ?> |