TheRON/core
1
0
Fork 0
mirror of https://framagit.org/hubzilla/core.git synced 2026-06-21 00:52:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add CSRF token to Authorize module

Browse Source 
Issue........: https://framagit.org/hubzilla/core/-/work_items/1987
This commit is contained in:
Harald Eilertsen
2026-06-10 20:57:56 +02:00
parent b5f7e55c2b
commit 4dbcbbb1af
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Zotlabs/Module/Authorize.php
View File

@@ -29,6 +29,7 @@ class Authorize extends \Zotlabs\Web\Controller {
return replace_macros(get_markup_template('oauth_authorize.tpl'), [
'$title' => t('Authorize'),
'$security' => get_form_security_token('oauth_authorize'),
'$authorize' => sprintf( t('Do you authorize the app %s to access your channel data?'), $link ),
'$app' => $app,
'$yes' => t('Allow'),
@@ -45,6 +46,10 @@ class Authorize extends \Zotlabs\Web\Controller {
return;
}
if (! check_form_security_token('oauth_authorize')) {
http_status_exit(401, t('You are not authorized to perform this action.'));
}
$storage = new OAuth2Storage(\DBA::$dba->db);
$s = new \Zotlabs\Identity\OAuth2Server($storage);

1
view/tpl/oauth_authorize.tpl
View File

@@ -6,6 +6,7 @@
<p class="descriptive-paragraph">{{$authorize}}</p>
<form method="POST">
<div class="settings-submit-wrapper">
<input type="hidden" name="form_security_token" value="{{$security}}" />
<input type="hidden" name="client_id" value="{{$client_id|escape}}" />
<input type="hidden" name="redirect_uri" value="{{$redirect_uri|escape}}" />
<input type="hidden" name="state" value="{{$state|escape}}" />