Added prototype of CSRF protection for forms

diff --git a/com.woltlab.wcf/templates/avatarEdit.tpl b/com.woltlab.wcf/templates/avatarEdit.tpl
index b5a3d7c4319c504854877e5e71f5abf6c6476312..74979e3f82483235c706d23f9599d7bd4b955bcc 100644 (file)
--- a/com.woltlab.wcf/templates/avatarEdit.tpl
+++ b/com.woltlab.wcf/templates/avatarEdit.tpl
@@ -18,6 +18,8 @@
 
 {include file='userNotice'}
 
+{include file='formErrorSecurityToken'}
+
 {if $__wcf->user->disableAvatar}
        <p class="error">{lang}wcf.user.avatar.error.disabled{/lang}</p>
 {/if}
@@ -108,6 +110,7 @@
        {if !$__wcf->user->disableAvatar}
                <div class="formSubmit">
                        <input type="submit" value="{lang}wcf.global.button.submit{/lang}" accesskey="s" />
+                       {@SECURITY_TOKEN_INPUT_TAG}
                </div>
        {/if}
 </form>

diff --git a/com.woltlab.wcf/templates/formErrorSecurityToken.tpl b/com.woltlab.wcf/templates/formErrorSecurityToken.tpl
new file mode 100644 (file)
index 0000000..68ae1d8
--- /dev/null
+++ b/com.woltlab.wcf/templates/formErrorSecurityToken.tpl
@@ -0,0 +1,5 @@
+{if $errorField}
+       {if ($errorField|is_array && $errorField[__securityToken]|isset) || $errorField == '__securityToken'}
+               <p class="error">{lang}wcf.global.form.error.securityToken{/lang}</p>
+       {/if}
+{/if}
\ No newline at end of file

diff --git a/wcfsetup/install/files/lib/form/AbstractSecureForm.class.php b/wcfsetup/install/files/lib/form/AbstractSecureForm.class.php
index 126ba235a458b206a2d4fbbf7a145ea885ca9518..46ee24acd57d2959c0ce899de2bda1d2c07910a9 100644 (file)
--- a/wcfsetup/install/files/lib/form/AbstractSecureForm.class.php
+++ b/wcfsetup/install/files/lib/form/AbstractSecureForm.class.php
@@ -1,11 +1,11 @@
 <?php
 namespace wcf\form;
-use wcf\system\exception\IllegalLinkException;
+use wcf\system\exception\UserInputException;
 use wcf\system\WCF;
 
 /**
  * Extends AbstractForm by a function to validate a given security token.
- * A missing or invalid token will be result in a throw of a IllegalLinkException.
+ * A missing or invalid token will be result in a throw of a UserInputException.
  * 
  * @author     Marcel Werk
  * @copyright  2001-2013 WoltLab GmbH
@@ -16,12 +16,11 @@ use wcf\system\WCF;
  */
 abstract class AbstractSecureForm extends AbstractForm {
        /**
-        * @see wcf\form\IForm::readFormParameters()
+        * @see wcf\form\IForm::validate()
         */
-       public function readFormParameters() {
-               parent::readFormParameters();
+       public function validate() {
+               parent::validate();
                
-               // check security token
                $this->checkSecurityToken();
        }
        
@@ -30,7 +29,7 @@ abstract class AbstractSecureForm extends AbstractForm {
         */
        protected function checkSecurityToken() {
                if (!isset($_POST['t']) || !WCF::getSession()->checkSecurityToken($_POST['t'])) {
-                       throw new IllegalLinkException();
+                       throw new UserInputException('__securityToken');
                }
        }
 }

diff --git a/wcfsetup/install/files/lib/form/AvatarEditForm.class.php b/wcfsetup/install/files/lib/form/AvatarEditForm.class.php
index d12a39900c1b571ec7de32c890c7f77a04740cbd..f456d6ef883e1a648cca8fe40e2a3c2284414c47 100644 (file)
--- a/wcfsetup/install/files/lib/form/AvatarEditForm.class.php
+++ b/wcfsetup/install/files/lib/form/AvatarEditForm.class.php
@@ -18,7 +18,7 @@ use wcf\system\WCF;
  * @subpackage form
  * @category   Community Framework
  */
-class AvatarEditForm extends AbstractForm {
+class AvatarEditForm extends AbstractSecureForm {
        /**
         * @see wcf\page\AbstractPage::$enableTracking
         */