From 56ffc115d15bf136bfced74707ccc1f41c7b5e44 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 13 Aug 2016 19:10:32 +0200
Subject: Do not mix POST and GET params

Avoid returning CSRF POST token for a GET
---
 app/Models/Auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/Models/Auth.php')

diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index f0e8db5a2..b93942e19 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -173,7 +173,7 @@ class FreshRSS_Auth {
 			return true;	//Not logged in yet
 		}
 		if ($token === null) {
-			$token = Minz_Request::param('_csrf');
+			$token = Minz_Request::fetchPOST('_csrf');
 		}
 		return $token === $csrf;
 	}
-- 
cgit v1.2.3