From e9c574a27c371612660efc0e1127641727d0cebb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Tue, 27 Aug 2019 15:16:55 +0200
Subject: [PATCH] :ambulance: fix(CSRF) Use a different message when CSRF token
 is unexpected

Attempt at easing CSRF protection problems debugging.

issue #6023
---
 include/class_CSRFProtection.inc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/class_CSRFProtection.inc b/include/class_CSRFProtection.inc
index 695f93cad..a726c4592 100644
--- a/include/class_CSRFProtection.inc
+++ b/include/class_CSRFProtection.inc
@@ -1,7 +1,7 @@
 <?php
 /*
   This code is part of FusionDirectory (http://www.fusiondirectory.org/)
-  Copyright (C) 2017-2018 FusionDirectory
+  Copyright (C) 2017-2019 FusionDirectory
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,6 +31,10 @@ class CSRFProtection
 
     static::checkHeaders();
 
+    if (!session::is_set('CSRFtoken')) {
+      throw new FusionDirectoryException('Unexpected CSRF protection token');
+    }
+
     if ($_POST['CSRFtoken'] !== static::getToken()) {
       throw new FusionDirectoryException('CSRF protection token invalid');
     }
-- 
GitLab