- fixed csrf protection

Author: Marius Cramer

interface/lib/classes/tform.inc.php

@@ -680,6 +680,8 @@ function encode($record, $tab, $dbencode = true) {
 			}
 			if($_csrf_valid !== true) {
 				$app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN);
+				$errmsg = 'err_csrf_attempt_blocked';
+				$this->errorMessage .= ($api == true ? $errmsg : $this->wordbook[$errmsg]."<br />") . "\r\n";
 				unset($_POST);
 				unset($record);
 			}

interface/lib/lang/de.lng

@@ -42,6 +42,7 @@ $wb['top_menu_domain'] = 'Domains';
 $wb['top_menu_dashboard'] = 'Übersicht';
 $wb['latest_news_txt'] = 'Neuigkeiten';
 $wb['top_menu_vm'] = 'vServer';
+$wb['err_csrf_attempt_blocked'] = 'CSRF-Versuch blockiert.';
 $wb['daynamesmin_su'] = 'So';
 $wb['daynamesmin_mo'] = 'Mo';
 $wb['daynamesmin_tu'] = 'Di';

interface/lib/lang/en.lng

@@ -131,6 +131,7 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection';
 $wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
 $wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
 $wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
+$wb['err_csrf_attempt_blocked'] = 'CSRF attempt blocked.';
 $wb['login_as_txt'] = 'Log in as';
 $wb["no_domain_perm"] = 'You have no permission for this domain.';
 $wb["no_destination_perm"] = 'You have no permission for this destination.';