diff options
author | Marc Alexander <admin@m-a-styles.de> | 2019-11-11 20:35:09 +0100 |
---|---|---|
committer | Marc Alexander <admin@m-a-styles.de> | 2019-12-26 15:05:53 +0100 |
commit | 6320da67e4f031e5d47c74ecaea477c2e721f99a (patch) | |
tree | 74599c17a990c5d56d5bf08707d20c4c6598100e /phpBB | |
parent | [prep-release-3.2.9] Add changelog for 3.2.9-RC1 (diff) | |
download | phpbb-6320da67e4f031e5d47c74ecaea477c2e721f99a.tar.gz phpbb-6320da67e4f031e5d47c74ecaea477c2e721f99a.tar.bz2 phpbb-6320da67e4f031e5d47c74ecaea477c2e721f99a.zip |
[ticket/security-249] Do not handle avatar submit on invalid token
SECURITY-249
Diffstat (limited to 'phpBB')
-rw-r--r-- | phpBB/includes/ucp/ucp_groups.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php index 2423af86be..24b94126b0 100644 --- a/phpBB/includes/ucp/ucp_groups.php +++ b/phpBB/includes/ucp/ucp_groups.php @@ -534,7 +534,12 @@ class ucp_groups 'teampage' => $group_row['group_teampage'], ); - if ($config['allow_avatar']) + if (!check_form_key('ucp_groups')) + { + $error[] = $user->lang['FORM_INVALID']; + } + + if (!count($error) && $config['allow_avatar']) { // Handle avatar $driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', '')); @@ -556,11 +561,6 @@ class ucp_groups $error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error)); } - if (!check_form_key('ucp_groups')) - { - $error[] = $user->lang['FORM_INVALID']; - } - // Validate submitted colour value if ($colour_error = validate_data($submit_ary, array('colour' => array('hex_colour', true)))) { |