Protect message settings with sesskey. MDL-16688 ; merged from 19_STABLE

author stronk7 <stronk7>

Thu, 25 Sep 2008 22:42:58 +0000 (22:42 +0000)

committer stronk7 <stronk7>

Thu, 25 Sep 2008 22:42:58 +0000 (22:42 +0000)
author stronk7 <stronk7>
Thu, 25 Sep 2008 22:42:58 +0000 (22:42 +0000)
committer stronk7 <stronk7>
Thu, 25 Sep 2008 22:42:58 +0000 (22:42 +0000)
diff --git a/message/lib.php b/message/lib.php

index 9a26a84c36fdb79b92b43eb3b949b88bcd01d3b1..4e97406cceb16647b54739fe099a6a534b3a1669 100644 (file)
--- a/message/lib.php
+++ b/message/lib.php
@@ -205,7 +205,7 @@ function message_print_search() {
  function message_print_settings() {
      global $USER;
  
-    if ($frm = data_submitted()) {
+    if ($frm = data_submitted() and confirm_sesskey()) {
  
          $pref = array();
          $pref['message_showmessagewindow'] = (isset($frm->showmessagewindow)) ? '1' : '0';
diff --git a/message/settings.html b/message/settings.html

index 78974203ffca8a3744e02e0642aea664962c0948..3b21846154af45cf52f97a8b209347ed9db25b74 100644 (file)
--- a/message/settings.html
+++ b/message/settings.html
@@ -1,5 +1,8 @@
  <form id="message_settings" action="index.php" method="post">
-<div><input type="hidden" name="tab" value="settings" /></div>
+<div>
+    <input type="hidden" name="tab" value="settings" />
+    <input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
+</div>
  
  
  <table cellpadding="5"  class="message_form boxaligncenter">
message/lib.php		patch \| blob \| history
message/settings.html		patch \| blob \| history