aboutsummaryrefslogtreecommitdiff
path: root/phpBB
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2019-11-11 20:35:09 +0100
committerMarc Alexander <admin@m-a-styles.de>2019-12-26 15:05:53 +0100
commit6320da67e4f031e5d47c74ecaea477c2e721f99a (patch)
tree74599c17a990c5d56d5bf08707d20c4c6598100e /phpBB
parent[prep-release-3.2.9] Add changelog for 3.2.9-RC1 (diff)
downloadphpbb-6320da67e4f031e5d47c74ecaea477c2e721f99a.tar.gz
phpbb-6320da67e4f031e5d47c74ecaea477c2e721f99a.tar.bz2
phpbb-6320da67e4f031e5d47c74ecaea477c2e721f99a.zip
[ticket/security-249] Do not handle avatar submit on invalid token
SECURITY-249
Diffstat (limited to 'phpBB')
-rw-r--r--phpBB/includes/ucp/ucp_groups.php12
1 files changed, 6 insertions, 6 deletions
diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php
index 2423af86be..24b94126b0 100644
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@@ -534,7 +534,12 @@ class ucp_groups
'teampage' => $group_row['group_teampage'],
);
- if ($config['allow_avatar'])
+ if (!check_form_key('ucp_groups'))
+ {
+ $error[] = $user->lang['FORM_INVALID'];
+ }
+
+ if (!count($error) && $config['allow_avatar'])
{
// Handle avatar
$driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', ''));
@@ -556,11 +561,6 @@ class ucp_groups
$error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error));
}
- if (!check_form_key('ucp_groups'))
- {
- $error[] = $user->lang['FORM_INVALID'];
- }
-
// Validate submitted colour value
if ($colour_error = validate_data($submit_ary, array('colour' => array('hex_colour', true))))
{