From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty

---
 interface/web/admin/language_add.php |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php
index 3444179..f58a2db 100644
--- a/interface/web/admin/language_add.php
+++ b/interface/web/admin/language_add.php
@@ -32,6 +32,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
@@ -64,6 +65,10 @@
 $app->tpl->setVar('error', $error);
 
 if(isset($_POST['lng_new']) && strlen($_POST['lng_new']) == 2 && $error == '') {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$lng_new = $_POST['lng_new'];
 	if(!preg_match("/^[a-z]{2}$/i", $lng_new)) die('unallowed characters in language name.');
 
@@ -93,6 +98,11 @@
 
 $app->tpl->setVar('msg', $msg);
 
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('language_add');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
+
 //* load language file
 $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng';
 include $lng_file;

--
Gitblit v1.9.1