diff options
author | Marc Alexander <admin@m-a-styles.de> | 2020-01-18 21:46:07 +0100 |
---|---|---|
committer | Marc Alexander <admin@m-a-styles.de> | 2020-01-18 21:46:07 +0100 |
commit | 880deabac196ee5a744d3488e12fcddb953a6c96 (patch) | |
tree | d339a73019d6ea74de6566de3de646b217401e5c | |
parent | Merge pull request #5830 from marc1706/ticket/16328 (diff) | |
parent | [ticket/16296] Adjust form token check for mark actions (diff) | |
download | phpbb-880deabac196ee5a744d3488e12fcddb953a6c96.tar.gz phpbb-880deabac196ee5a744d3488e12fcddb953a6c96.tar.bz2 phpbb-880deabac196ee5a744d3488e12fcddb953a6c96.zip |
Merge pull request #5821 from marc1706/ticket/16296
[ticket/16296] Adjust form token check for mark actions
-rw-r--r-- | phpBB/includes/functions_privmsgs.php | 5 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_pm.php | 10 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_pm_viewfolder.php | 4 |
3 files changed, 12 insertions, 7 deletions
diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index f07512d623..436b437cfa 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -958,6 +958,11 @@ function handle_mark_actions($user_id, $mark_action) { case 'mark_important': + if (!check_form_key('ucp_pm_view')) + { + trigger_error('FORM_INVALID'); + } + $sql = 'UPDATE ' . PRIVMSGS_TO_TABLE . " SET pm_marked = 1 - pm_marked WHERE folder_id = $cur_folder_id diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php index 00d1ce7149..3f982c8dd0 100644 --- a/phpBB/includes/ucp/ucp_pm.php +++ b/phpBB/includes/ucp/ucp_pm.php @@ -209,14 +209,14 @@ class ucp_pm $submit_mark = false; } - if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view')) - { - trigger_error('FORM_INVALID'); - } - // Move PM if ($move_pm) { + if (!check_form_key('ucp_pm_view')) + { + trigger_error('FORM_INVALID'); + } + $move_msg_ids = (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array(); $cur_folder_id = $request->variable('cur_folder_id', PRIVMSGS_NO_BOX); diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php index ce40a2507d..4b6377e0b7 100644 --- a/phpBB/includes/ucp/ucp_pm_viewfolder.php +++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php @@ -32,7 +32,7 @@ function view_folder($id, $mode, $folder_id, $folder) $folder_info = get_pm_from($folder_id, $folder, $user->data['user_id']); - add_form_key('ucp_pm_view_folder'); + add_form_key('ucp_pm_view'); if (!$submit_export) { @@ -199,7 +199,7 @@ function view_folder($id, $mode, $folder_id, $folder) $enclosure = $request->variable('enclosure', ''); $delimiter = $request->variable('delimiter', ''); - if (!check_form_key('ucp_pm_view_folder')) + if (!check_form_key('ucp_pm_view')) { trigger_error('FORM_INVALID'); } |