diff options
| author | jim-p <jimp@pfsense.org> | 2015-12-21 10:47:54 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2015-12-21 10:47:54 -0500 |
| commit | 3643958c95913d83a3417924f67517e6b2b41ff7 (patch) | |
| tree | b3eafb699faa76efc41924c8f6e39806ae7fbf6e | |
| parent | 4fa888b46cbd7816b9063de2a06f249105457111 (diff) | |
| download | pfsense-3643958c95913d83a3417924f67517e6b2b41ff7.zip pfsense-3643958c95913d83a3417924f67517e6b2b41ff7.tar.gz | |
Only disable CSRF on diag_backup.php for the download action where it might be scripted. Other actions need its protection.
| -rw-r--r-- | usr/local/www/diag_backup.php | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php index ddab190..cf4c664 100644 --- a/usr/local/www/diag_backup.php +++ b/usr/local/www/diag_backup.php @@ -50,7 +50,9 @@ ini_set('max_input_time', '0'); /* omit no-cache headers because it confuses IE with file downloads */ $omit_nocacheheaders = true; -$nocsrf = true; +if (stristr($_POST['Submit'], gettext("Download"))) { + $nocsrf = true; +} require("guiconfig.inc"); require_once("functions.inc"); require_once("filter.inc"); |
