Isn't a bad idea to add the CSRF token as part of a visible string in a "get", especially since we allow the use of older ones? Shouldn't we fix the pages that use GET to change the database?

   ... Glenn


Begin forwarded message:

From: nuclear_eclipse@users.sourceforge.net
Date: June 2, 2008 10:52:57 AM GMT-04:00
To: mantisbt-cvs@lists.sourceforge.net
Subject: [mantisbt-cvs] SF.net SVN: mantisbt: [5309] branches/BRANCH_1_1_0/mantisbt

Revision: 5309
         http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5309&view=rev
Author:   nuclear_eclipse
Date:     2008-06-02 07:52:56 -0700 (Mon, 02 Jun 2008)

Log Message:
-----------
Enhance Form API to work for both POST forms and GET urls.

Modified Paths:
--------------
   branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php
   branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php
   branches/BRANCH_1_1_0/mantisbt/bug_update_page.php
   branches/BRANCH_1_1_0/mantisbt/core/form_api.php
   branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php

Modified: branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php
===================================================================
--- branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php 2008-06-02 14:49:35 UTC (rev 5308)
+++ branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php 2008-06-02 14:52:56 UTC (rev 5309)
@@ -91,7 +91,7 @@
<br />
<div align="center">
<form method="post" action="bug_update.php">
-<?php echo form_security_token( 'bug_update' ) ?>
+<?php echo form_security_field( 'bug_update' ) ?>
<table class="width75" cellspacing="1">



Modified: branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php
===================================================================
--- branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php 2008-06-02 14:49:35 UTC (rev 5308)
+++ branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php 2008-06-02 14:52:56 UTC (rev 5309)
@@ -65,7 +65,7 @@

<br />
<form method="post" action="bug_update.php">
-<?php echo form_security_token( 'bug_update' ) ?>
+<?php echo form_security_field( 'bug_update' ) ?>
<table class="width100" cellspacing="1">
<tr>
<td class="form-title" colspan="3">

Modified: branches/BRANCH_1_1_0/mantisbt/bug_update_page.php
===================================================================
--- branches/BRANCH_1_1_0/mantisbt/bug_update_page.php 2008-06-02 14:49:35 UTC (rev 5308)
+++ branches/BRANCH_1_1_0/mantisbt/bug_update_page.php 2008-06-02 14:52:56 UTC (rev 5309)
@@ -65,7 +65,7 @@

<br />
<form method="post" action="bug_update.php">
-<?php echo form_security_token( 'bug_update' ) ?>
+<?php echo form_security_field( 'bug_update' ) ?>
<table class="width100" cellspacing="1">



Modified: branches/BRANCH_1_1_0/mantisbt/core/form_api.php
===================================================================
--- branches/BRANCH_1_1_0/mantisbt/core/form_api.php 2008-06-02 14:49:35 UTC (rev 5308)
+++ branches/BRANCH_1_1_0/mantisbt/core/form_api.php 2008-06-02 14:52:56 UTC (rev 5309)
@@ -27,10 +27,10 @@

/**
 * Generate a random security token, prefixed by date, store it in the
- * user's session, and then return a string containing a hidden form
+ * user's session, and then return the string to be used as a form element
 * element with the security token as the value.
 * @param string Form name
- * @return string Hidden form element to output
+ * @return string Security token string
 */
function form_security_token( $p_form_name ) {
$t_tokens = session_get( 'form_security_tokens', array() );
@@ -49,6 +49,18 @@
$t_tokens[ $p_form_name ][] = $t_string;
session_set( 'form_security_tokens', $t_tokens );

+ # The token string
+ return $t_string;
+}
+
+/**
+ * Get a hidden form element containing a generated form security token.
+ * @param string Form name
+ * @return string Hidden form element to output
+ */
+function form_security_field( $p_form_name ) {
+ $t_string = form_security_token( $p_form_name );
+
# Create the form element HTML string for the security token
$t_form_token = $p_form_name . '_token';
$t_element = '<input type="hidden" name="%s" value="%s"/>';
@@ -58,6 +70,22 @@
}

/**
+ * Get a URL parameter containing a generated form security token.
+ * @param string Form name
+ * @return string Hidden form element to output
+ */
+function form_security_param( $p_form_name ) {
+ $t_string = form_security_token( $p_form_name );
+
+ # Create the GET parameter to be used in a URL for a secure link
+ $t_form_token = $p_form_name . '_token';
+ $t_param = '&%s=%s';
+ $t_param = sprintf( $t_param, $t_form_token, $t_string );
+
+ return $t_param;
+}
+
+/**
 * Validate the security token for the given form name based on tokens
 * stored in the user's session.  While checking stored tokens, any that
 * are more than 3 days old will be purged.

Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php
===================================================================
--- branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php 2008-06-02 14:49:35 UTC (rev 5308)
+++ branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php 2008-06-02 14:52:56 UTC (rev 5309)
@@ -35,7 +35,7 @@
<br />
<div align="center">
<form method="post" action="manage_user_create.php">
-<?php echo form_security_token( 'manage_user_create' ) ?>
+<?php echo form_security_field( 'manage_user_create' ) ?>
<table class="width50" cellspacing="1">
<tr>
<td class="form-title" colspan="2">


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mantisbt-cvs mailing list
mantisbt-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mantisbt-cvs

-- 
Glenn Henshaw              Ottawa, Canada
Email: thraxisp4@mac.com