Protect message settings with sesskey. MDL-16688 ; merged from 19_STABLE

alseambusher · Sep 25, 2008 · d6b4fed · d6b4fed
1 parent 13d974c
commit d6b4fed
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/message/lib.php b/message/lib.php
@@ -205,7 +205,7 @@ function message_print_search() {
 function message_print_settings() {
     global $USER;
 
-    if ($frm = data_submitted()) {
+    if ($frm = data_submitted() and confirm_sesskey()) {
 
         $pref = array();
         $pref['message_showmessagewindow'] = (isset($frm->showmessagewindow)) ? '1' : '0';

diff --git a/message/settings.html b/message/settings.html
@@ -1,5 +1,8 @@
 <form id="message_settings" action="index.php" method="post">
-<div><input type="hidden" name="tab" value="settings" /></div>
+<div>
+    <input type="hidden" name="tab" value="settings" />
+    <input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
+</div>
 
 
 <table cellpadding="5"  class="message_form boxaligncenter">