# HG changeset patch
# User Dan
# Date 1250813960 14400
# Node ID ef2dbcac5d5643e2b23b8ebe3f2a36a2a47706b1
# Parent  d1c41601ef39c485518302b1327a09eadc70e398
SECURITY: UCP: Added CSRF protection on Profile (unneeded on EmailPassword due to USER_LEVEL_CHPREF requirement)

diff -r d1c41601ef39 -r ef2dbcac5d56 plugins/SpecialUserPrefs.php
--- a/plugins/SpecialUserPrefs.php	Thu Aug 20 20:03:31 2009 -0400
+++ b/plugins/SpecialUserPrefs.php	Thu Aug 20 20:19:20 2009 -0400
@@ -305,6 +305,10 @@
       $template->tpl_strings['PAGE_NAME'] = $lang->get('usercp_signature_title');
       break;
     case 'Profile':
+    case 'Home':
+      if ( isset($_POST['submit']) )
+        csrf_request_confirm();
+      
       $template->tpl_strings['PAGE_NAME'] = $lang->get('usercp_publicinfo_title');
       break;
   }
@@ -778,6 +782,8 @@
         </table>
       </div>
       <?php
+      // CSRF protection
+      echo '<input type="hidden" name="cstok" value="' . $session->csrf_token . '" />';
       echo '</form>';
       break;
     case 'Avatar':