diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 19:10:32 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 19:10:32 +0200 |
| commit | 56ffc115d15bf136bfced74707ccc1f41c7b5e44 (patch) | |
| tree | 6149b276b06d5d8fe295c020bed842f91c0bcd15 /app/Models/Auth.php | |
| parent | e6fd34bdda5d067a9e74714aaae10c89ed998a46 (diff) | |
Do not mix POST and GET params
Avoid returning CSRF POST token for a GET
Diffstat (limited to 'app/Models/Auth.php')
| -rw-r--r-- | app/Models/Auth.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/Models/Auth.php b/app/Models/Auth.php index f0e8db5a2..b93942e19 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -173,7 +173,7 @@ class FreshRSS_Auth { return true; //Not logged in yet } if ($token === null) { - $token = Minz_Request::param('_csrf'); + $token = Minz_Request::fetchPOST('_csrf'); } return $token === $csrf; } |