summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
Diffstat (limited to 'www')
-rw-r--r--www/admin.php5
1 files changed, 3 insertions, 2 deletions
diff --git a/www/admin.php b/www/admin.php
index 1dc21bd..f9b9b8d 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -47,8 +47,9 @@ if ( !$currentUser->isAdmin() ) {
@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL;
-if ( $action
-&& (strpos($_SERVER['HTTP_REFERER'], ROOT.'admin') === 0) // Prevent CSRF attacks
+if ($action
+ && (strpos($_SERVER['HTTP_REFERER'], ROOT.'admin') <= 6)
+ // Prevent CSRF attacks. 6 is needed for "//example.org"-root urls
) {
switch ( $action ) {
case 'delete':
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 13:01:22 +0000