beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

CSRF protection of included JavaScript

Browse source
This commit is contained in:
Jakub Vrana 2010-10-18 01:20:02 +02:00
parent 031a82a4ad
commit 6f5c1981a0
3 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
adminer/db.inc.php
View file

@ -155,6 +155,6 @@ if ($_GET["ns"] !== "") {
}
page_footer();
echo "<script type='text/javascript' src='" . h(ME) . "script=db'></script>\n";
echo "<script type='text/javascript' src='" . h(ME . "script=db&token=$token") . "'></script>\n";
exit; // page_footer() already called
}

2
adminer/include/connect.inc.php
View file

@ -43,7 +43,7 @@ function connect_error() {
}
}
page_footer("db");
echo "<script type='text/javascript' src='" . h(ME) . "script=connect'></script>\n";
echo "<script type='text/javascript' src='" . h(ME . "script=connect&token=$token") . "'></script>\n";
}
if (isset($_GET["status"])) {

3
adminer/script.inc.php
View file

@ -1,5 +1,8 @@
<?php
header("Content-Type: text/javascript; charset=utf-8");
if ($_GET["token"] != $token) { // CSRF protection
exit;
}
if ($_GET["script"] == "db") {
$sums = array("Data_length" => 0, "Index_length" => 0, "Data_free" => 0);