From ea2f18b22b86b9b551a546ca522a437570426143 Mon Sep 17 00:00:00 2001 From: Andreas Boehler Date: Sat, 2 Mar 2013 07:49:39 +0100 Subject: [PATCH] Fixed possible CSRF attacks (thanks to Lukas Reschke) --- appinfo/version | 2 +- settings.php | 2 ++ templates/settings.php | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/appinfo/version b/appinfo/version index eb49d7c..39e898a 100644 --- a/appinfo/version +++ b/appinfo/version @@ -1 +1 @@ -0.7 +0.7.1 diff --git a/settings.php b/settings.php index 622e336..f6f1ff3 100644 --- a/settings.php +++ b/settings.php @@ -23,8 +23,10 @@ $params = array('sql_host', 'sql_user', 'sql_database', 'sql_password', 'sql_table', 'sql_column_username', 'sql_column_password', 'sql_type', 'sql_column_active', 'strip_domain', 'default_domain', 'crypt_type'); OCP\Util::addscript('user_sql', 'settings'); +OCP\User::checkAdminUser(); if ($_POST) { + OCP\JSON::callCheck(); foreach($params as $param){ if(isset($_POST[$param])) { diff --git a/templates/settings.php b/templates/settings.php index 6932f45..01fb609 100644 --- a/templates/settings.php +++ b/templates/settings.php @@ -40,7 +40,7 @@

title="Strip Domain Part from Username when logging in and retrieving username lists">

- +