From: Alexander Ebert <ebert@woltlab.com>
Date: Thu, 12 Dec 2013 12:49:10 +0000 (+0100)
Subject: Fixed CSRF protection for new password form
X-Git-Tag: 2.0.1~57
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1ebde074c5bc934da966443802d7333391b75b2b;p=GitHub%2FWoltLab%2FWCF.git

Fixed CSRF protection for new password form
---

diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
index ec5fd7289f..47fb3b2683 100644
--- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
@@ -61,6 +61,11 @@ class NewPasswordForm extends AbstractForm {
 		
 		if (isset($_REQUEST['u'])) $this->userID = intval($_REQUEST['u']);
 		if (isset($_REQUEST['k'])) $this->lostPasswordKey = StringUtil::trim($_REQUEST['k']);
+		
+		// disable check for security token for GET requests
+		if ($this->userID || $this->lostPasswordKey) {
+			$_POST['t'] = WCF::getSession()->getSecurityToken();
+		}
 	}
 	
 	/**