diff options
author | Fabian Becker <halfdan@xnorfz.de> | 2013-02-06 02:35:40 +0400 |
---|---|---|
committer | Fabian Becker <halfdan@xnorfz.de> | 2013-02-06 02:35:40 +0400 |
commit | c2f670c4a59aa1c4142174365e076ee69a88d105 (patch) | |
tree | 0c9d3099d16af6e50906f44b41fcaa8091fd542a /plugins/LanguagesManager | |
parent | 073af4e5f8c4552520c0b5c57a2136beca62565a (diff) |
Fixes possible minor CSRF that potentially allowed attackers to
change a users language.
fixes #3733
Diffstat (limited to 'plugins/LanguagesManager')
-rw-r--r-- | plugins/LanguagesManager/Controller.php | 3 | ||||
-rw-r--r-- | plugins/LanguagesManager/templates/languages.tpl | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/plugins/LanguagesManager/Controller.php b/plugins/LanguagesManager/Controller.php index 6ba6210077..ebc69c9b40 100644 --- a/plugins/LanguagesManager/Controller.php +++ b/plugins/LanguagesManager/Controller.php @@ -23,6 +23,7 @@ class Piwik_LanguagesManager_Controller extends Piwik_Controller public function saveLanguage() { $language = Piwik_Common::getRequestVar('language'); + $this->checkTokenInUrl(); Piwik_LanguagesManager::setLanguageForSession($language); if(Zend_Registry::isRegistered('access')) { $currentUser = Piwik::getCurrentUserLogin(); @@ -32,5 +33,5 @@ class Piwik_LanguagesManager_Controller extends Piwik_Controller } } Piwik_Url::redirectToReferer(); - } + } } diff --git a/plugins/LanguagesManager/templates/languages.tpl b/plugins/LanguagesManager/templates/languages.tpl index b06cd191c3..fbf1c618a5 100644 --- a/plugins/LanguagesManager/templates/languages.tpl +++ b/plugins/LanguagesManager/templates/languages.tpl @@ -7,6 +7,7 @@ <option value="{$language.code}" {if $language.code == $currentLanguageCode}selected="selected"{/if} title="{$language.name} ({$language.english_name})">{$language.name}</option> {/foreach} </select> + <input type="hidden" name="token_auth" value="{$token_auth}"/> <input type="submit" value="go" /> </form> </span> |