From 061ba4abe179829d7d0acd3422a16110dbc91da5 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Thu, 31 Jan 2019 20:06:49 -0800
Subject: Avoid CSRF in users CSV import

---
 app/Controller/UserImportController.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'app/Controller')

diff --git a/app/Controller/UserImportController.php b/app/Controller/UserImportController.php
index 6a9d5992..e878e605 100644
--- a/app/Controller/UserImportController.php
+++ b/app/Controller/UserImportController.php
@@ -3,6 +3,7 @@
 namespace Kanboard\Controller;
 
 use Kanboard\Core\Csv;
+use Kanboard\Core\Controller\AccessForbiddenException;
 
 /**
  * User Import controller
@@ -35,6 +36,12 @@ class UserImportController extends BaseController
     public function save()
     {
         $values = $this->request->getValues();
+
+        // Note: $values is empty when the CSRF token is invalid.
+        if (empty($values)) {
+            throw new AccessForbiddenException();
+        }
+
         $filename = $this->request->getFilePath('file');
 
         if (! file_exists($filename)) {
-- 
cgit v1.2.3