From: <thr...@us...> - 2008-03-26 00:49:37
|
Revision: 5134 http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5134&view=rev Author: thraxisp Date: 2008-03-25 17:49:33 -0700 (Tue, 25 Mar 2008) Log Message: ----------- fix for #8995: CSRF Vulnerabilities in user_create - check for "Post" actions appropriately Modified Paths: -------------- branches/BRANCH_1_1_0/mantisbt/account_delete.php branches/BRANCH_1_1_0/mantisbt/account_prefs_reset.php branches/BRANCH_1_1_0/mantisbt/account_prefs_update.php branches/BRANCH_1_1_0/mantisbt/account_prof_add.php branches/BRANCH_1_1_0/mantisbt/account_prof_delete.php branches/BRANCH_1_1_0/mantisbt/account_prof_make_default.php branches/BRANCH_1_1_0/mantisbt/account_prof_update.php branches/BRANCH_1_1_0/mantisbt/account_sponsor_update.php branches/BRANCH_1_1_0/mantisbt/account_update.php branches/BRANCH_1_1_0/mantisbt/adm_config_delete.php branches/BRANCH_1_1_0/mantisbt/adm_config_set.php branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_ext.php branches/BRANCH_1_1_0/mantisbt/bug_assign.php branches/BRANCH_1_1_0/mantisbt/bug_assign_reporter.php branches/BRANCH_1_1_0/mantisbt/bug_delete.php branches/BRANCH_1_1_0/mantisbt/bug_file_add.php branches/BRANCH_1_1_0/mantisbt/bug_file_delete.php branches/BRANCH_1_1_0/mantisbt/bug_graph_bystatus.php branches/BRANCH_1_1_0/mantisbt/bug_monitor.php branches/BRANCH_1_1_0/mantisbt/bug_relationship_add.php branches/BRANCH_1_1_0/mantisbt/bug_relationship_delete.php branches/BRANCH_1_1_0/mantisbt/bug_reminder.php branches/BRANCH_1_1_0/mantisbt/bug_report.php branches/BRANCH_1_1_0/mantisbt/bug_set_sponsorship.php branches/BRANCH_1_1_0/mantisbt/bug_update.php branches/BRANCH_1_1_0/mantisbt/bugnote_add.php branches/BRANCH_1_1_0/mantisbt/bugnote_delete.php branches/BRANCH_1_1_0/mantisbt/bugnote_set_view_state.php branches/BRANCH_1_1_0/mantisbt/bugnote_update.php branches/BRANCH_1_1_0/mantisbt/core/constant_inc.php branches/BRANCH_1_1_0/mantisbt/core/helper_api.php branches/BRANCH_1_1_0/mantisbt/lang/strings_english.txt branches/BRANCH_1_1_0/mantisbt/lost_pwd.php branches/BRANCH_1_1_0/mantisbt/manage_config_email_set.php branches/BRANCH_1_1_0/mantisbt/manage_config_revert.php branches/BRANCH_1_1_0/mantisbt/manage_config_work_threshold_set.php branches/BRANCH_1_1_0/mantisbt/manage_config_workflow_set.php branches/BRANCH_1_1_0/mantisbt/manage_custom_field_create.php branches/BRANCH_1_1_0/mantisbt/manage_custom_field_delete.php branches/BRANCH_1_1_0/mantisbt/manage_custom_field_proj_add.php branches/BRANCH_1_1_0/mantisbt/manage_custom_field_update.php branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_add.php branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_copy.php branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_delete.php branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_update.php branches/BRANCH_1_1_0/mantisbt/manage_proj_create.php branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_add_existing.php branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_copy.php branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_remove.php branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_update.php branches/BRANCH_1_1_0/mantisbt/manage_proj_delete.php branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_add.php branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_delete.php branches/BRANCH_1_1_0/mantisbt/manage_proj_update.php branches/BRANCH_1_1_0/mantisbt/manage_proj_user_add.php branches/BRANCH_1_1_0/mantisbt/manage_proj_user_copy.php branches/BRANCH_1_1_0/mantisbt/manage_proj_user_remove.php branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_add.php branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_copy.php branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_delete.php branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_update.php branches/BRANCH_1_1_0/mantisbt/manage_user_create.php branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php branches/BRANCH_1_1_0/mantisbt/manage_user_proj_add.php branches/BRANCH_1_1_0/mantisbt/manage_user_proj_delete.php branches/BRANCH_1_1_0/mantisbt/manage_user_prune.php branches/BRANCH_1_1_0/mantisbt/manage_user_reset.php branches/BRANCH_1_1_0/mantisbt/manage_user_update.php branches/BRANCH_1_1_0/mantisbt/news_add.php branches/BRANCH_1_1_0/mantisbt/news_delete.php branches/BRANCH_1_1_0/mantisbt/news_update.php branches/BRANCH_1_1_0/mantisbt/print_all_bug_options_reset.php branches/BRANCH_1_1_0/mantisbt/print_all_bug_options_update.php branches/BRANCH_1_1_0/mantisbt/proj_doc_add.php branches/BRANCH_1_1_0/mantisbt/proj_doc_delete.php branches/BRANCH_1_1_0/mantisbt/proj_doc_update.php branches/BRANCH_1_1_0/mantisbt/query_delete.php branches/BRANCH_1_1_0/mantisbt/query_store.php branches/BRANCH_1_1_0/mantisbt/set_project.php branches/BRANCH_1_1_0/mantisbt/signup.php branches/BRANCH_1_1_0/mantisbt/tag_attach.php branches/BRANCH_1_1_0/mantisbt/tag_delete.php branches/BRANCH_1_1_0/mantisbt/tag_detach.php branches/BRANCH_1_1_0/mantisbt/tag_update.php Modified: branches/BRANCH_1_1_0/mantisbt/account_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -43,6 +43,8 @@ # (none) #============ Permissions ============ + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); Modified: branches/BRANCH_1_1_0/mantisbt/account_prefs_reset.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_prefs_reset.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_prefs_reset.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -47,6 +47,8 @@ $f_redirect_url = gpc_get_string( 'redirect_url', 'account_prefs_page.php' ); #============ Permissions ============ + helper_ensure_post(); + auth_ensure_user_authenticated(); user_ensure_unprotected( $f_user_id ); Modified: branches/BRANCH_1_1_0/mantisbt/account_prefs_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_prefs_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_prefs_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,21 +20,19 @@ # -------------------------------------------------------- # $Id: account_prefs_update.php,v 1.36.16.1 2007-10-13 22:32:08 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Updates prefs then redirect to account_prefs_page.php3 -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'user_pref_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); -?> -<?php + $f_user_id = gpc_get_int( 'user_id' ); $f_redirect_url = gpc_get_string( 'redirect_url' ); Modified: branches/BRANCH_1_1_0/mantisbt/account_prof_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_prof_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_prof_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,23 +20,21 @@ # -------------------------------------------------------- # $Id: account_prof_add.php,v 1.27.22.1 2007-10-13 22:32:10 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # This file adds a new profile and redirects to account_proj_menu_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'profile_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_platform = gpc_get_string( 'platform' ); $f_os = gpc_get_string( 'os' ); $f_os_build = gpc_get_string( 'os_build' ); Modified: branches/BRANCH_1_1_0/mantisbt/account_prof_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_prof_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_prof_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,24 +20,22 @@ # -------------------------------------------------------- # $Id: account_prof_delete.php,v 1.27.22.1 2007-10-13 22:32:12 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # The specified profile is deleted and the user is redirected to # account_prof_menu_page.php3 -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'profile_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_profile_id = gpc_get_int( 'profile_id' ); if ( profile_is_global( $f_profile_id ) ) { Modified: branches/BRANCH_1_1_0/mantisbt/account_prof_make_default.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_prof_make_default.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_prof_make_default.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,24 +20,22 @@ # -------------------------------------------------------- # $Id: account_prof_make_default.php,v 1.26.22.1 2007-10-13 22:32:14 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Make the specified profile the default # Redirect to account_prof_menu_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_profile_id = gpc_get_int( 'profile_id' ); current_user_set_pref( 'default_profile', $f_profile_id ); Modified: branches/BRANCH_1_1_0/mantisbt/account_prof_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_prof_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_prof_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -30,6 +30,8 @@ require_once( $t_core_path.'profile_api.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); Modified: branches/BRANCH_1_1_0/mantisbt/account_sponsor_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_sponsor_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_sponsor_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,23 +20,21 @@ # -------------------------------------------------------- # $Id: account_sponsor_update.php,v 1.2.14.1 2007-10-13 22:32:22 giallu Exp $ # -------------------------------------------------------- -?> -<?php - # This page updates a user's information + + # This page updates a user's sponsorships # If an account is protected then changes are forbidden # The page gets redirected back to account_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); -?> -<?php + $f_bug_list = gpc_get_string( 'buglist', '' ); $t_bug_list = explode( ',', $f_bug_list ); Modified: branches/BRANCH_1_1_0/mantisbt/account_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/account_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/account_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,25 +20,23 @@ # -------------------------------------------------------- # $Id: account_update.php,v 1.41.2.1 2007-10-13 22:32:23 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # This page updates a user's information # If an account is protected then changes are forbidden # The page gets redirected back to account_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_email = gpc_get_string( 'email', '' ); $f_realname = gpc_get_string( 'realname', '' ); $f_password = gpc_get_string( 'password', '' ); Modified: branches/BRANCH_1_1_0/mantisbt/adm_config_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/adm_config_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/adm_config_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + $f_user_id = gpc_get_int( 'user_id' ); $f_project_id = gpc_get_int( 'project_id' ); $f_config_option = gpc_get_string( 'config_option' ); Modified: branches/BRANCH_1_1_0/mantisbt/adm_config_set.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/adm_config_set.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/adm_config_set.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -26,6 +26,7 @@ require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); + helper_ensure_post(); $f_user_id = gpc_get_int( 'user_id' ); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,19 +20,18 @@ # -------------------------------------------------------- # $Id: bug_actiongroup.php,v 1.52.2.1 2007-10-13 22:32:30 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # This page allows actions to be performed an an array of bugs -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php auth_ensure_user_authenticated() ?> -<?php + + helper_ensure_post(); + + auth_ensure_user_authenticated(); helper_begin_long_process(); $f_action = gpc_get_string( 'action' ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_ext.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_ext.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_ext.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -28,19 +28,21 @@ require_once( $t_core_path . 'bug_api.php' ); require_once( $t_core_path . 'bug_group_action_api.php' ); - auth_ensure_user_authenticated(); + helper_ensure_post(); + auth_ensure_user_authenticated(); + helper_begin_long_process(); - $f_action = gpc_get_string( 'action' ); + $f_action = gpc_get_string( 'action' ); $f_bug_arr = gpc_get_int_array( 'bug_arr', array() ); - $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php'; + $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php'; - require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file ); - - # group bugs by project - $t_projects_bugs = array(); + require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file ); + + # group bugs by project + $t_projects_bugs = array(); foreach( $f_bug_arr as $t_bug_id ) { bug_ensure_exists( $t_bug_id ); $t_bug = bug_get( $t_bug_id, true ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_assign.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_assign.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_assign.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,16 @@ # -------------------------------------------------------- # $Id: bug_assign.php,v 1.42.16.1 2007-10-13 22:32:34 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Assign bug to user then redirect to viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $t_bug = bug_get( $f_bug_id ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_assign_reporter.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_assign_reporter.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_assign_reporter.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,17 @@ # -------------------------------------------------------- # $Id: bug_assign_reporter.php,v 1.4.14.1 2007-10-13 22:32:35 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Assign bug to user then redirect to viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); access_ensure_bug_level( config_get( 'update_bug_threshold' ), $f_bug_id ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ $f_bug_id = gpc_get_int( 'bug_id' ); + helper_ensure_post(); + access_ensure_bug_level( config_get( 'delete_bug_threshold' ), $f_bug_id ); $t_bug = bug_get( $f_bug_id, true ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_file_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_file_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_file_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,17 @@ # -------------------------------------------------------- # $Id: bug_file_add.php,v 1.49.2.1 2007-10-13 22:32:37 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Add file to a bug and then view the bug -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'file_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id', -1 ); $f_file = gpc_get_file( 'file', -1 ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_file_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_file_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_file_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ require_once( $t_core_path.'file_api.php' ); + helper_ensure_post(); + $f_file_id = gpc_get_int( 'file_id' ); $t_bug_id = file_get_field( $f_file_id, 'bug_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_graph_bystatus.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_graph_bystatus.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_graph_bystatus.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -74,6 +74,7 @@ // grab all status levels $t_status_arr = get_enum_to_array( config_get( 'status_enum_string' ) ); + $t_status_labels = get_enum_to_array( lang_get( 'status_enum_string' ) ); $t_bug = array(); $t_view_status = array(); @@ -175,12 +176,12 @@ $t_labels = array(); $i = 0; if ($f_summary) { - $t_labels[++$i] = 'open'; - $t_labels[++$i] = 'resolved'; - $t_labels[++$i] = 'closed'; + $t_labels[++$i] = lang_get_defaulted('open'); + $t_labels[++$i] = lang_get_defaulted('resolved'); + $t_labels[++$i] = lang_get_defaulted('closed'); } else { foreach ( $t_view_status as $t_status => $t_label ) { - $t_labels[++$i] = $t_label; + $t_labels[++$i] = isset($t_status_labels[$t_status]) ? $t_status_labels[$t_status] : lang_get_defaulted($t_label); } } $t_label_count = $i; Modified: branches/BRANCH_1_1_0/mantisbt/bug_monitor.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_monitor.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_monitor.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,17 @@ # -------------------------------------------------------- # $Id: bug_monitor.php,v 1.28.16.1 2007-10-13 22:32:42 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # This file turns monitoring on or off for a bug for the current user -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $t_bug = bug_get( $f_bug_id, true ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_relationship_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_relationship_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_relationship_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'relationship_api.php' ); + helper_ensure_post(); + $f_rel_type = gpc_get_int( 'rel_type' ); $f_src_bug_id = gpc_get_int( 'src_bug_id' ); $f_dest_bug_id_string = gpc_get_string( 'dest_bug_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_relationship_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_relationship_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_relationship_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -36,6 +36,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'relationship_api.php' ); + helper_ensure_post(); + $f_rel_id = gpc_get_int( 'rel_id' ); $f_bug_id = gpc_get_int( 'bug_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_reminder.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_reminder.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_reminder.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,11 +20,9 @@ # -------------------------------------------------------- # $Id: bug_reminder.php,v 1.21.2.1 2007-10-13 22:32:49 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # This page allows an authorized user to send a reminder by email to another user -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -32,8 +30,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'email_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_to = gpc_get_int_array( 'to' ); $f_body = gpc_get_string( 'body' ); Modified: branches/BRANCH_1_1_0/mantisbt/bug_report.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_report.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_report.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -32,6 +32,8 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + access_ensure_project_level( config_get('report_bug_threshold' ) ); $t_bug_data = new BugData; Modified: branches/BRANCH_1_1_0/mantisbt/bug_set_sponsorship.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_set_sponsorship.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_set_sponsorship.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,14 +20,15 @@ # -------------------------------------------------------- # $Id: bug_set_sponsorship.php,v 1.5.14.1 2007-10-13 22:32:53 giallu Exp $ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'sponsorship_api.php' ); + helper_ensure_post(); + if ( config_get( 'enable_sponsorship' ) == OFF ) { trigger_error( ERROR_SPONSORSHIP_NOT_ENABLED, ERROR ); } Modified: branches/BRANCH_1_1_0/mantisbt/bug_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bug_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -20,11 +20,9 @@ # -------------------------------------------------------- # $Id: bug_update.php,v 1.91.2.3 2007-10-26 08:52:18 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Update bug data then redirect to the appropriate viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -32,8 +30,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); require_once( $t_core_path.'custom_field_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page $f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/bugnote_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bugnote_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bugnote_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ # -------------------------------------------------------- # $Id: bugnote_add.php,v 1.48.2.1 2007-10-13 22:33:04 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Insert the bugnote into the database then redirect to the bug page require_once( 'core.php' ); @@ -31,6 +30,8 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_private = gpc_get_bool( 'private' ); $f_time_tracking = gpc_get_string( 'time_tracking', '0:00' ); Modified: branches/BRANCH_1_1_0/mantisbt/bugnote_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bugnote_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bugnote_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,12 +20,10 @@ # -------------------------------------------------------- # $Id: bugnote_delete.php,v 1.39.14.1 2007-10-13 22:33:06 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Remove the bugnote and bugnote text and redirect back to # the viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -33,10 +31,11 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); - + $t_bug_id = bugnote_get_field( $f_bugnote_id, 'bug_id' ); $t_bug = bug_get( $t_bug_id, true ); Modified: branches/BRANCH_1_1_0/mantisbt/bugnote_set_view_state.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bugnote_set_view_state.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bugnote_set_view_state.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,19 +20,18 @@ # -------------------------------------------------------- # $Id: bugnote_set_view_state.php,v 1.27.14.1 2007-10-13 22:33:08 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Set an existing bugnote private or public. -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); $f_private = gpc_get_bool( 'private' ); Modified: branches/BRANCH_1_1_0/mantisbt/bugnote_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bugnote_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/bugnote_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,11 +20,9 @@ # -------------------------------------------------------- # $Id: bugnote_update.php,v 1.44.2.1 2007-10-13 22:33:09 giallu Exp $ # -------------------------------------------------------- -?> -<?php + # Update bugnote data then redirect to the appropriate viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -32,8 +30,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); $f_bugnote_text = gpc_get_string( 'bugnote_text', '' ); $f_time_tracking = gpc_get_string( 'time_tracking', '0:00' ); Modified: branches/BRANCH_1_1_0/mantisbt/core/constant_inc.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/core/constant_inc.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/core/constant_inc.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -194,6 +194,7 @@ define( 'ERROR_FTP_CONNECT_ERROR', 16 ); define( 'ERROR_HANDLER_ACCESS_TOO_LOW', 17 ); define( 'ERROR_PAGE_REDIRECTION', 18 ); + define( 'ERROR_INVALID_REQUEST_METHOD', 19 ); # ERROR_CONFIG_* define( 'ERROR_CONFIG_OPT_NOT_FOUND', 100 ); Modified: branches/BRANCH_1_1_0/mantisbt/core/helper_api.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/core/helper_api.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/core/helper_api.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -421,4 +421,16 @@ auth_is_user_authenticated() && access_has_global_level( config_get( 'show_queries_threshold' ) ); } + + + # + #------------------------------------------------- + # check access method is POST, return if true, else call error handler + function helper_ensure_post() + { + if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( strtoupper( $_SERVER['REQUEST_METHOD'] ) != 'POST' ) ) { + trigger_error( ERROR_INVALID_REQUEST_METHOD, ERROR ); + } + + } ?> Modified: branches/BRANCH_1_1_0/mantisbt/lang/strings_english.txt =================================================================== --- branches/BRANCH_1_1_0/mantisbt/lang/strings_english.txt 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/lang/strings_english.txt 2008-03-26 00:49:33 UTC (rev 5134) @@ -297,6 +297,7 @@ $MANTIS_ERROR[ERROR_TAG_NOT_ATTACHED] = 'That tag is not attached to that bug.'; $MANTIS_ERROR[ERROR_TAG_ALREADY_ATTACHED] = 'That tag already attached to that bug.'; $MANTIS_ERROR[ERROR_TOKEN_NOT_FOUND] = 'Token could not be found.'; +$MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; Modified: branches/BRANCH_1_1_0/mantisbt/lost_pwd.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/lost_pwd.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/lost_pwd.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... -# Copyright (C) 2002 - 2007 Mantis Team - man...@li... +# Copyright (C) 2002 - 2008 Mantis Team - man...@li... # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,6 +27,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + # lost password feature disabled or reset password via email disabled -> stop here! if( OFF == config_get( 'lost_password_feature' ) || OFF == config_get( 'send_reset_password' ) || Modified: branches/BRANCH_1_1_0/mantisbt/manage_config_email_set.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_config_email_set.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_config_email_set.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -26,6 +26,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_config_revert.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_config_revert.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_config_revert.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -25,6 +25,8 @@ $t_core_path = config_get( 'core_path' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project', 0 ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_config_work_threshold_set.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_config_work_threshold_set.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_config_work_threshold_set.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -26,6 +26,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $t_redirect_url = 'manage_config_work_threshold_page.php'; Modified: branches/BRANCH_1_1_0/mantisbt/manage_config_workflow_set.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_config_workflow_set.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_config_workflow_set.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -26,6 +26,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_custom_field_create.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_custom_field_create.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_custom_field_create.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_custom_field_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_custom_field_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_custom_field_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_custom_field_proj_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_custom_field_proj_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_custom_field_proj_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_field_id = gpc_get_int( 'field_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_custom_field_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_custom_field_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_custom_field_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_copy.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_copy.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_copy.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_cat_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_create.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_create.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_create.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'project_hierarchy_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'create_project_threshold' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_add_existing.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_add_existing.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_add_existing.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_field_id = gpc_get_int( 'field_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_copy.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_copy.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_copy.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once('core.php'); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_remove.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_remove.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_remove.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_field_id = gpc_get_int( 'field_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_custom_field_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -20,15 +20,15 @@ # -------------------------------------------------------- # $Id: manage_proj_custom_field_update.php,v 1.10.22.1 2007-10-13 22:33:37 giallu Exp $ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'custom_field_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_field_id = gpc_get_int( 'field_id' ); $f_project_id = gpc_get_int( 'project_id' ); $f_sequence = gpc_get_int( 'sequence' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -25,6 +25,8 @@ $t_core_path = config_get( 'core_path' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_subproj_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -25,6 +25,8 @@ $t_core_path = config_get( 'core_path' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_user_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_user_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_user_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_user_copy.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_user_copy.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_user_copy.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_user_remove.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_user_remove.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_user_remove.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_add.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_add.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_copy.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_copy.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_copy.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_delete.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_version_id = gpc_get_int( 'version_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_update.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_proj_ver_update.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_version_id = gpc_get_int( 'version_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_create.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_create.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1_0/mantisbt/manage_user_create.php 2008-03-26 00:49:33 UTC (rev 5134) @@ -27,6 +27,8 @@ require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php 2008-03-25 20:47:24 UTC (rev 5133) +++ branches/BRANCH_1_1... [truncated message content] |