From 19ea9ed6209b36cba5cb8f96224d9e3a0c022c93 Mon Sep 17 00:00:00 2001 From: Frédéric Guillot Date: Wed, 30 Jan 2019 20:21:12 -0800 Subject: Add missing CSRF check in TwoFactorController::deactivate() --- app/Controller/BaseController.php | 9 ++++++++- app/Controller/TwoFactorController.php | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'app') diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php index c984a702..637c3db1 100644 --- a/app/Controller/BaseController.php +++ b/app/Controller/BaseController.php @@ -33,6 +33,13 @@ abstract class BaseController extends Base } } + protected function checkCSRFForm() + { + if (! $this->token->validateCSRFToken($this->request->getRawValue('csrf_token'))) { + throw new AccessForbiddenException(); + } + } + /** * Check webhook token * @@ -305,7 +312,7 @@ abstract class BaseController extends Base return $filter; } - + /** * Redirect the user after the authentication * diff --git a/app/Controller/TwoFactorController.php b/app/Controller/TwoFactorController.php index 5f60e946..2038c269 100644 --- a/app/Controller/TwoFactorController.php +++ b/app/Controller/TwoFactorController.php @@ -119,6 +119,7 @@ class TwoFactorController extends UserViewController */ public function deactivate() { + $this->checkCSRFForm(); $user = $this->getUser(); $this->checkCurrentUser($user); -- cgit v1.2.3