Add posting token to login and register

Phorum · Apr 19, 2016 · 5f5bcd0 · 5f5bcd0
1 parent 15529c7
commit 5f5bcd0
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/login.php b/login.php
@@ -118,6 +118,11 @@
 // Set all our URLs.
 phorum_build_common_urls();
 
+// CSRF protection: we do not accept posting to this script,
+// when the browser does not include a Phorum signed token
+// in the request.
+phorum_check_posting_token();
+
 $template = "login";
 $error = "";
 $okmsg = "";
@@ -518,7 +523,9 @@
              *         if (!empty($PHORUM["mod_foo"]["login_failures"][$_SERVER["REMOTE_ADDR"]])) {
              *             // If the failures occur within the set time window,
              *             // increment the login failure count
-             *             if ($curr_time <= ($PHORUM["mod_foo"]["login_failures"][$_SERVER["REMOTE_ADDR"]]["timestamp"] + (int)$PHORUM["mod_foo"]["login_failures_time_window"])) {
+             *             if ( $curr_time
+             *                  <= ($PHORUM["mod_foo"]["login_failures"][$_SERVER["REMOTE_ADDR"]]["timestamp"]
+             *                     + (int)$PHORUM["mod_foo"]["login_failures_time_window"])) {
              *                 $PHORUM["mod_foo"]["login_failures"][$_SERVER["REMOTE_ADDR"]]["login_failure_count"] ++;
              *                 $PHORUM["mod_foo"]["login_failures"][$_SERVER["REMOTE_ADDR"]]["timestamp"] = $curr_time;
              *             // Otherwise, reset the count.

diff --git a/register.php b/register.php
@@ -80,6 +80,11 @@
 
 }
 
+// CSRF protection: we do not accept posting to this script,
+// when the browser does not include a Phorum signed token
+// in the request.
+phorum_check_posting_token();
+
 $error = ''; // Init error as empty.
 
 // Process posted form data.