From 6342d69b1858ab27c1de4b0d45b64a121ceedf02 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Wed, 7 Sep 2022 16:17:08 -0500
Subject: [PATCH] Do not include _token in legacy vars (#14313)

---
 includes/html/vars.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/html/vars.inc.php b/includes/html/vars.inc.php
index cadd941738..20641a9916 100644
--- a/includes/html/vars.inc.php
+++ b/includes/html/vars.inc.php
@@ -10,5 +10,5 @@ foreach ($_POST as $name => $value) {
     $vars[$name] = ($value);
 }
 
-// don't leak login data
-unset($vars['username'], $vars['password'], $uri, $base_url);
+// don't leak login and other data
+unset($vars['username'], $vars['password'], $vars['_token']);