[mantisbt-cvs] SF.net SVN: mantisbt: [5338] trunk/mantisbt

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Revision: 5338
          http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5338&view=rev
Author:   giallu
Date:     2008-06-07 16:32:23 -0700 (Sat, 07 Jun 2008)

Log Message:
-----------
Add form security tokens to prevent CSRF issues

Modified Paths:
--------------
    trunk/mantisbt/manage_custom_field_delete.php
    trunk/mantisbt/manage_custom_field_edit_page.php
    trunk/mantisbt/manage_custom_field_proj_add.php
    trunk/mantisbt/manage_custom_field_update.php

Modified: trunk/mantisbt/manage_custom_field_delete.php
===================================================================

--- trunk/mantisbt/manage_custom_field_delete.php	2008-06-07 23:16:45 UTC (rev 5337)
+++ trunk/mantisbt/manage_custom_field_delete.php	2008-06-07 23:32:23 UTC (rev 5338)
@@ -27,8 +27,6 @@
 
 	require_once( $t_core_path.'custom_field_api.php' );
 
-	helper_ensure_post();
-
 	auth_reauthenticate();
 
 	access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) );
@@ -48,6 +46,8 @@
 			lang_get( 'field_delete_button' ) );
 	}
 
+	form_security_validate('manage_custom_field_delete');
+
 	custom_field_destroy( $f_field_id );
 
 	html_page_top1();

Modified: trunk/mantisbt/manage_custom_field_edit_page.php
===================================================================
--- trunk/mantisbt/manage_custom_field_edit_page.php	2008-06-07 23:16:45 UTC (rev 5337)
+++ trunk/mantisbt/manage_custom_field_edit_page.php	2008-06-07 23:32:23 UTC (rev 5338)
@@ -46,6 +46,7 @@
 <br />
 <div align="center">
 <form method="post" action="manage_custom_field_update.php">
+<?php echo form_security_field( 'manage_custom_field_update' ); ?>
 	<input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" />
 	<input type="hidden" name="return" value="<?php echo $f_return ?>" />
 
@@ -227,6 +228,7 @@
 
 <div class="border-center">
 	<form method="post" action="manage_custom_field_delete.php">
+<?php echo form_security_field( 'manage_custom_field_delete' ); ?>
 		<input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" />
 		<input type="hidden" name="return" value="<?php echo string_attribute( $f_return ) ?>" />
 		<input type="submit" class="button" value="<?php echo lang_get( 'delete_custom_field_button' ) ?>" />
@@ -239,6 +241,7 @@
 <br />
 <div align="center">
 <form method="post" action="manage_custom_field_proj_add.php">
+<?php echo form_security_field( 'manage_custom_field_proj_add' ); ?>
 <table class="width75" cellspacing="1">
 <!-- Title -->
 <tr>

Modified: trunk/mantisbt/manage_custom_field_proj_add.php
===================================================================
--- trunk/mantisbt/manage_custom_field_proj_add.php	2008-06-07 23:16:45 UTC (rev 5337)
+++ trunk/mantisbt/manage_custom_field_proj_add.php	2008-06-07 23:32:23 UTC (rev 5338)
@@ -23,10 +23,10 @@
 
 	require_once( 'core.php' );
 
-	helper_ensure_post();
-
 	auth_reauthenticate();
 
+	form_security_validate('manage_custom_field_proj_add');
+
 	$f_field_id = gpc_get_int( 'field_id' );
 	$f_project_id = gpc_get_int_array( 'project_id', array() );
 	$f_sequence	= gpc_get_int( 'sequence' );

Modified: trunk/mantisbt/manage_custom_field_update.php
===================================================================
--- trunk/mantisbt/manage_custom_field_update.php	2008-06-07 23:16:45 UTC (rev 5337)
+++ trunk/mantisbt/manage_custom_field_update.php	2008-06-07 23:32:23 UTC (rev 5338)
@@ -27,10 +27,10 @@
 
 	require_once( $t_core_path.'custom_field_api.php' );
 
-	helper_ensure_post();
-
 	auth_reauthenticate();
 
+	form_security_validate('manage_custom_field_update');
+
 	access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) );
 
 	$f_field_id						= gpc_get_int( 'field_id' );


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


