diff options
| author | Andrew Dolgov <noreply@fakecake.org> | 2021-02-24 21:56:52 +0300 |
|---|---|---|
| committer | Andrew Dolgov <noreply@fakecake.org> | 2021-02-24 21:56:52 +0300 |
| commit | 93940d2a9f80d9e1dac49b5eb7db23230d31c5f6 (patch) | |
| tree | 71016661f6017918d0934eb462bd9552018d557a /classes/pluginhandler.php | |
| parent | 8b022c2bfb356d7dddaf334bc931d6dec77086fb (diff) | |
| parent | 1adacd057230aea4ede29dab510385bf01cf99a3 (diff) | |
Merge branch 'master' of git.fakecake.org:fox/tt-rss into weblate-integration
Diffstat (limited to 'classes/pluginhandler.php')
| -rw-r--r-- | classes/pluginhandler.php | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php index 9682e440f..75b823822 100644 --- a/classes/pluginhandler.php +++ b/classes/pluginhandler.php @@ -7,17 +7,23 @@ class PluginHandler extends Handler_Protected { function catchall($method) { $plugin_name = clean($_REQUEST["plugin"]); $plugin = PluginHost::getInstance()->get_plugin($plugin_name); + $csrf_token = ($_POST["csrf_token"] ?? ""); if ($plugin) { if (method_exists($plugin, $method)) { - $plugin->$method(); + if (validate_csrf($csrf_token) || $plugin->csrf_ignore($method)) { + $plugin->$method(); + } else { + user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING); + print Errors::to_json(Errors::E_UNAUTHORIZED); + } } else { - user_error("PluginHandler: Requested unknown method '$method' of plugin '$plugin_name'.", E_USER_WARNING); - print error_json(13); + user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING); + print Errors::to_json(Errors::E_UNKNOWN_METHOD); } } else { - user_error("PluginHandler: Requested method '$method' of unknown plugin '$plugin_name'.", E_USER_WARNING); - print error_json(14); + user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING); + print Errors::to_json(Errors::E_UNKNOWN_PLUGIN); } } } |