Add token to href to prevent CSRF
|Reported by:||shesek||Owned by:||hasienda|
This isn't critical at all, but there's a CSRF issue. One can force other users to vote for tickets by making them send request to the vote URL. For example, he can embed it as an image in a ticket - and than anyone viewing the ticket and requesting the image would vote-up without knowing.
This can be fixed by passing the token in the URL and making sure its there when processing the request.
Change History (27)
comment:2 in reply to: ↑ 1 ; follow-up: ↓ 3 Changed 3 years ago by hasienda
- Keywords CSRF token added