From 1306853e1ef45a8da19b32e406914ff6a1e44315 Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Wed, 23 Apr 2014 07:23:02 +0100
Subject: [PATCH] Cannot use $_REQUEST, should be $_GET || $_POST

$_REQUEST appears to contain other system info, need to check on the
existence of $_GET or $_POST data
---
 lib/headers.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/headers.php b/lib/headers.php
index 2eb16e6..1d638fd 100644
--- a/lib/headers.php
+++ b/lib/headers.php
@@ -6,7 +6,8 @@ if(!isset($_SESSION)) {@session_start();}
 if (!isset($_SESSION["csrf"])) {
 	$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));	
 }
-if ($_REQUEST && $_REQUEST["csrf"] !== $_SESSION["csrf"]) {
+
+if (($_GET || $_POST) && $_REQUEST["csrf"] !== $_SESSION["csrf"]) {
 	echo '<script>alert("Bad CSRF token. Please press F12, view the console and report the error, including file & line number, so it can be fixed. Many thanks!");</script>';
 	echo '<script>console.log("CSRF issue: REQUEST: "+$_REQUEST["csrf"]+", SESSION: "+$_SESSION["csrf"]);</script>';
 	die('Bad CSRF token');