ghost
commented
6 years ago The form key does not need to be checked when using a confirm box. https://wiki.phpbb.com/Function.confirm_box
Closed ghost closed 6 years ago
ghost
commented
6 years ago The form key does not need to be checked when using a confirm box. https://wiki.phpbb.com/Function.confirm_box
Form key handling needs more investigation. The form key is currently only checked for submitting keys and not for revoking keys in the manage keys mode. Revoking keys is mainly based on how log entries are deleted from mcp logs and there the form key is not checked. However, the form key is checked in some other very similar pieces of code, for example when deleting entries in acp_users.php at Ln. 1186 which uses a very similar method. Due to this inconsistent handling in the phpbb code the recommended method is unknown at the moment.