Skip to content
Snippets Groups Projects
Commit d29f308b authored by Peter Rotich's avatar Peter Rotich
Browse files

Merge pull request #2295 from greezybacon/issue/2276


csrf: Fix CRSF violation on client login

Reviewed-By: default avatarPeter Rotich <peter@osticket.com>
parents 6b597487 c1f36ea3
Branches
Tags
No related merge requests found
...@@ -15,33 +15,13 @@ if ($user && ($url = $user->get_gravatar(48))) ...@@ -15,33 +15,13 @@ if ($user && ($url = $user->get_gravatar(48)))
<?php } ?> <?php } ?>
<div class="header"> <div class="header">
<div class="pull-right"> <div class="pull-right">
<?php if ($entry->hasActions()) { <span style="vertical-align:middle;" class="textra">
$actions = $entry->getActions(); ?>
<span class="muted-button pull-right" data-dropdown="#entry-action-more-<?php echo $entry->getId(); ?>">
<i class="icon-caret-down"></i>
</span>
<div id="entry-action-more-<?php echo $entry->getId(); ?>" class="action-dropdown anchor-right">
<ul class="title">
<?php foreach ($actions as $group => $list) {
foreach ($list as $id => $action) { ?>
<li>
<a class="no-pjax" href="#" onclick="javascript:
<?php echo str_replace('"', '\\"', $action->getJsStub()); ?>; return false;">
<i class="<?php echo $action->getIcon(); ?>"></i> <?php
echo $action->getName();
?></a></li>
<?php }
} ?>
</ul>
</div>
<?php } ?>
<span style="vertical-align:middle;" class="textra">
<?php if ($entry->flags & ThreadEntry::FLAG_EDITED) { ?> <?php if ($entry->flags & ThreadEntry::FLAG_EDITED) { ?>
<span class="label label-bare" title="<?php <span class="label label-bare" title="<?php
echo sprintf(__('Edited on %s by %s'), Format::datetime($entry->updated), 'You'); echo sprintf(__('Edited on %s by %s'), Format::datetime($entry->updated), 'You');
?>"><?php echo __('Edited'); ?></span> ?>"><?php echo __('Edited'); ?></span>
<?php } ?> <?php } ?>
</span> </span>
</div> </div>
<?php <?php
echo sprintf(__('<b>%s</b> posted %s'), $name, echo sprintf(__('<b>%s</b> posted %s'), $name,
......
...@@ -32,19 +32,6 @@ else ...@@ -32,19 +32,6 @@ else
$suggest_pwreset = false; $suggest_pwreset = false;
// Check the CSRF token, and ensure that future requests will have to use a
// different CSRF token. This will help ward off both parallel and serial
// brute force attacks, because new tokens will have to be requested for
// each attempt.
if ($_POST) {
// Check CSRF token
if (!$ost->checkCSRFToken())
Http::response(400, __('Valid CSRF Token Required'));
// Rotate the CSRF token (original cannot be reused)
$ost->getCSRF()->rotate();
}
if ($_POST && isset($_POST['luser'])) { if ($_POST && isset($_POST['luser'])) {
if (!$_POST['luser']) if (!$_POST['luser'])
$errors['err'] = __('Valid username or email address is required'); $errors['err'] = __('Valid username or email address is required');
......
...@@ -1249,7 +1249,7 @@ ul.tabs.alt li.active { ...@@ -1249,7 +1249,7 @@ ul.tabs.alt li.active {
display:block; display:block;
height:30px; height:30px;
position:absolute; position:absolute;
z-index:5; z-index:10;
} }
.tip_arrow { .tip_arrow {
...@@ -1258,7 +1258,7 @@ ul.tabs.alt li.active { ...@@ -1258,7 +1258,7 @@ ul.tabs.alt li.active {
top:5px; top:5px;
left:-12px; left:-12px;
width:12px; width:12px;
z-index:102; z-index:1;
} }
.tip_box.right .tip_arrow { .tip_box.right .tip_arrow {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment