Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight <canyonknight@gmail.com> --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 387d81d..e02c835 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -94,7 +94,7 @@ function check_sid($dbh=NULL) { * @return bool True if the CSRF token is the same as the cookie SID, otherwise false */ function check_token() { - if (isset($_POST['token'])) { + if (isset($_POST['token']) && isset($_COOKIE['AURSID'])) { return ($_POST['token'] == $_COOKIE['AURSID']); } else { return false; -- 1.8.1.1