If check_nonpage needs to check authenticity of the submission, only a
valid hidden form parameter ought to be permitted.
This seems to have simply a logic error where (in
2cc2bcd0 "javascript
hijacking fix") I thought ParmT was a perl booleanish; but, of course,
it isn't.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
my ($r, $reqtype) = @_;
$r->_assert_checked();
return unless $r->resource_get_needs_secret_hidden($reqtype);
- return if $r->{ParmT};
+ return if $r->{ParmT} eq 'y';
die "missing hidden secret parameter on nonpage request $reqtype";
}