Add CSRF check

diff --git a/apps/files/admin.php b/apps/files/admin.php
index a8f2deffc927a0d8fb70c658f57046fa80179e4c..0f5b3d1218df74de0e049d4f1db970d041c13b86 100644 (file)
--- a/apps/files/admin.php
+++ b/apps/files/admin.php
@@ -32,7 +32,7 @@ $htaccessWorking=(getenv('htaccessWorking')=='true');
 $upload_max_filesize = OCP\Util::computerFileSize(ini_get('upload_max_filesize'));
 $post_max_size = OCP\Util::computerFileSize(ini_get('post_max_size'));
 $maxUploadFilesize = OCP\Util::humanFileSize(min($upload_max_filesize, $post_max_size));
-if($_POST) {
+if($_POST && OC_Util::isCallRegistered()) {
        if(isset($_POST['maxUploadSize'])) {
                if(($setMaxSize = OC_Files::setUploadLimit(OCP\Util::computerFileSize($_POST['maxUploadSize']))) !== false) {
                        $maxUploadFilesize = OCP\Util::humanFileSize($setMaxSize);

diff --git a/apps/files/templates/admin.php b/apps/files/templates/admin.php
index c4fe4c86569ad3298a543f450cc9e69dd614af6d..5869ed21072f26a9604f470d21517b084be5cfcb 100644 (file)
--- a/apps/files/templates/admin.php
+++ b/apps/files/templates/admin.php
@@ -11,6 +11,7 @@
                        <input name="maxZipInputSize" id="maxZipInputSize" style="width:180px;" value='<?php echo $_['maxZipInputSize'] ?>' title="<?php echo $l->t( '0 is unlimited' ); ?>"<?php if (!$_['allowZipDownload']) echo ' disabled="disabled"'; ?> />
                        <label for="maxZipInputSize"><?php echo $l->t( 'Maximum input size for ZIP files' ); ?> </label><br />
 
+               <input type="hidden" value="<?php echo $_['requesttoken']; ?>" name="requesttoken" />
                <input type="submit" name="submitFilesAdminSettings" id="submitFilesAdminSettings" value="<?php echo $l->t( 'Save' ); ?>"/>
        </fieldset>
 </form>