CSRF protection of included JavaScript
This commit is contained in:
parent
031a82a4ad
commit
6f5c1981a0
|
@ -155,6 +155,6 @@ if ($_GET["ns"] !== "") {
|
||||||
}
|
}
|
||||||
|
|
||||||
page_footer();
|
page_footer();
|
||||||
echo "<script type='text/javascript' src='" . h(ME) . "script=db'></script>\n";
|
echo "<script type='text/javascript' src='" . h(ME . "script=db&token=$token") . "'></script>\n";
|
||||||
exit; // page_footer() already called
|
exit; // page_footer() already called
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,7 +43,7 @@ function connect_error() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
page_footer("db");
|
page_footer("db");
|
||||||
echo "<script type='text/javascript' src='" . h(ME) . "script=connect'></script>\n";
|
echo "<script type='text/javascript' src='" . h(ME . "script=connect&token=$token") . "'></script>\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_GET["status"])) {
|
if (isset($_GET["status"])) {
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
<?php
|
<?php
|
||||||
header("Content-Type: text/javascript; charset=utf-8");
|
header("Content-Type: text/javascript; charset=utf-8");
|
||||||
|
if ($_GET["token"] != $token) { // CSRF protection
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
if ($_GET["script"] == "db") {
|
if ($_GET["script"] == "db") {
|
||||||
$sums = array("Data_length" => 0, "Index_length" => 0, "Data_free" => 0);
|
$sums = array("Data_length" => 0, "Index_length" => 0, "Data_free" => 0);
|
||||||
|
|
Loading…
Reference in a new issue