From: Lukas Reschke <lukas@statuscode.ch>
Date: Thu, 1 Nov 2012 22:52:04 +0000 (+0100)
Subject: Add CSRF token
X-Git-Tag: v5.0.0alpha1~523
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=0f02b7dea65ee13b6b29dc16a0de5a4ab5c9b01d;p=nextcloud-server.git

Add CSRF token
---

diff --git a/apps/files/admin.php b/apps/files/admin.php
index e8b3cb0aca0..c183a4ba4b4 100644
--- a/apps/files/admin.php
+++ b/apps/files/admin.php
@@ -35,7 +35,7 @@ $post_max_size = OCP\Util::computerFileSize(ini_get('post_max_size'));
 $post_max_size_possible = OCP\Util::computerFileSize(get_cfg_var('post_max_size'));
 $maxUploadFilesize = OCP\Util::humanFileSize(min($upload_max_filesize, $post_max_size));
 $maxUploadFilesizePossible = OCP\Util::humanFileSize(min($upload_max_filesize_possible, $post_max_size_possible));
-if($_POST) {
+if($_POST && OC_Util::isCallRegistered) {
 	if(isset($_POST['maxUploadSize'])) {
 		if(($setMaxSize = OC_Files::setUploadLimit(OCP\Util::computerFileSize($_POST['maxUploadSize']))) !== false) {
 			$maxUploadFilesize = OCP\Util::humanFileSize($setMaxSize);
diff --git a/apps/files/templates/admin.php b/apps/files/templates/admin.php
index c4fe4c86569..5869ed21072 100644
--- a/apps/files/templates/admin.php
+++ b/apps/files/templates/admin.php
@@ -11,6 +11,7 @@
 			<input name="maxZipInputSize" id="maxZipInputSize" style="width:180px;" value='<?php echo $_['maxZipInputSize'] ?>' title="<?php echo $l->t( '0 is unlimited' ); ?>"<?php if (!$_['allowZipDownload']) echo ' disabled="disabled"'; ?> />
 			<label for="maxZipInputSize"><?php echo $l->t( 'Maximum input size for ZIP files' ); ?> </label><br />
 
+		<input type="hidden" value="<?php echo $_['requesttoken']; ?>" name="requesttoken" />
 		<input type="submit" name="submitFilesAdminSettings" id="submitFilesAdminSettings" value="<?php echo $l->t( 'Save' ); ?>"/>
 	</fieldset>
 </form>