From 1f79d614c4d24fdc0432fd6d080f29ca99b41fbf Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 17 Sep 2020 08:43:39 +0300
Subject: fix OTP QR code not displayed because of CSRF token passed as a query
 parameter use type-strict comparison when validating CSRF token on the
 backend

---
 classes/handler/public.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'classes/handler/public.php')

diff --git a/classes/handler/public.php b/classes/handler/public.php
index 18be5c640..595473789 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -283,9 +283,12 @@ class Handler_Public extends Handler {
 	}
 
 	function logout() {
-		if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) {
+		if (validate_csrf($_POST["csrf_token"])) {
 			logout_user();
 			header("Location: index.php");
+		} else {
+			header("Content-Type: text/json");
+			print error_json(6);
 		}
 	}
 
@@ -777,7 +780,7 @@ class Handler_Public extends Handler {
 			<div class='content'>
 			<?php
 
-			if (!$feed_url || $csrf_token != $_SESSION["csrf_token"]) {
+			if (!$feed_url || !validate_csrf($csrf_token)) {
 				?>
 				<form method="post">
 					<input type="hidden" name="op" value="subscribe">
-- 
cgit v1.2.3-54-g00ecf