From 96dfa82af5d9fd27b87eeef0ba877b022845e240 Mon Sep 17 00:00:00 2001 From: mensonge Date: Thu, 27 Nov 2008 10:31:03 +0000 Subject: [PATCH] Bug fix: correct CSRF protection git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@178 b3834d28-1941-0410-a4f8-b48e95affb8f --- admin.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/admin.php b/admin.php index 48adacb..c548480 100644 --- a/admin.php +++ b/admin.php @@ -44,11 +44,10 @@ if ( !$currentUser->isAdmin() ) { exit(); } -@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL; - +@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL; if ( $action -&& strpos($_SERVER['HTTP_REFERER'], ROOT.'/admin.php') == 0 // Prevent CSRF attacks +&& strpos($_SERVER['HTTP_REFERER'], ROOT.'admin.php') === 0 // Prevent CSRF attacks ) { switch ( $action ) { case 'delete':