root
/
threadr.lostcave.ddnss.de
3
1
Fork 2
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Add CSRF checks to profile editing.

jocadbz
Joca 2026-03-06 14:53:17 -03:00
parent 730b05dd58
commit 47ebf77f24
Signed by: jocadbz
GPG Key ID: B1836DCE2F50BDF7
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
handlers/profile_edit.go
View File

@ -23,6 +23,11 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
} }
if r.Method == http.MethodPost { if r.Method == http.MethodPost {
if !app.validateCSRFToken(r, session) {
http.Error(w, "Invalid CSRF token", http.StatusForbidden)
return
}
// Handle file upload // Handle file upload
file, handler, err := r.FormFile("pfp") file, handler, err := r.FormFile("pfp")
if err == nil { if err == nil {
@ -118,6 +123,7 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir, BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static", StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(), CurrentURL: r.URL.RequestURI(),
CSRFToken: app.csrfToken(session),
}, },
User: *user, User: *user,
} }

1
templates/pages/profile_edit.html
View File

@ -14,6 +14,7 @@
</header> </header>
<section> <section>
<form method="post" action="{{.BasePath}}/profile/edit/" enctype="multipart/form-data"> <form method="post" action="{{.BasePath}}/profile/edit/" enctype="multipart/form-data">
<input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
<label for="display_name">Display Name:</label> <label for="display_name">Display Name:</label>
<input type="text" id="display_name" name="display_name" value="{{.User.DisplayName}}" maxlength="255"><br> <input type="text" id="display_name" name="display_name" value="{{.User.DisplayName}}" maxlength="255"><br>
<label for="pfp">Profile Picture:</label> <label for="pfp">Profile Picture:</label>