From: <gi...@us...> - 2008-06-07 23:32:25
|
Revision: 5338 http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5338&view=rev Author: giallu Date: 2008-06-07 16:32:23 -0700 (Sat, 07 Jun 2008) Log Message: ----------- Add form security tokens to prevent CSRF issues Modified Paths: -------------- trunk/mantisbt/manage_custom_field_delete.php trunk/mantisbt/manage_custom_field_edit_page.php trunk/mantisbt/manage_custom_field_proj_add.php trunk/mantisbt/manage_custom_field_update.php Modified: trunk/mantisbt/manage_custom_field_delete.php =================================================================== --- trunk/mantisbt/manage_custom_field_delete.php 2008-06-07 23:16:45 UTC (rev 5337) +++ trunk/mantisbt/manage_custom_field_delete.php 2008-06-07 23:32:23 UTC (rev 5338) @@ -27,8 +27,6 @@ require_once( $t_core_path.'custom_field_api.php' ); - helper_ensure_post(); - auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); @@ -48,6 +46,8 @@ lang_get( 'field_delete_button' ) ); } + form_security_validate('manage_custom_field_delete'); + custom_field_destroy( $f_field_id ); html_page_top1(); Modified: trunk/mantisbt/manage_custom_field_edit_page.php =================================================================== --- trunk/mantisbt/manage_custom_field_edit_page.php 2008-06-07 23:16:45 UTC (rev 5337) +++ trunk/mantisbt/manage_custom_field_edit_page.php 2008-06-07 23:32:23 UTC (rev 5338) @@ -46,6 +46,7 @@ <br /> <div align="center"> <form method="post" action="manage_custom_field_update.php"> +<?php echo form_security_field( 'manage_custom_field_update' ); ?> <input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" /> <input type="hidden" name="return" value="<?php echo $f_return ?>" /> @@ -227,6 +228,7 @@ <div class="border-center"> <form method="post" action="manage_custom_field_delete.php"> +<?php echo form_security_field( 'manage_custom_field_delete' ); ?> <input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" /> <input type="hidden" name="return" value="<?php echo string_attribute( $f_return ) ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'delete_custom_field_button' ) ?>" /> @@ -239,6 +241,7 @@ <br /> <div align="center"> <form method="post" action="manage_custom_field_proj_add.php"> +<?php echo form_security_field( 'manage_custom_field_proj_add' ); ?> <table class="width75" cellspacing="1"> <!-- Title --> <tr> Modified: trunk/mantisbt/manage_custom_field_proj_add.php =================================================================== --- trunk/mantisbt/manage_custom_field_proj_add.php 2008-06-07 23:16:45 UTC (rev 5337) +++ trunk/mantisbt/manage_custom_field_proj_add.php 2008-06-07 23:32:23 UTC (rev 5338) @@ -23,10 +23,10 @@ require_once( 'core.php' ); - helper_ensure_post(); - auth_reauthenticate(); + form_security_validate('manage_custom_field_proj_add'); + $f_field_id = gpc_get_int( 'field_id' ); $f_project_id = gpc_get_int_array( 'project_id', array() ); $f_sequence = gpc_get_int( 'sequence' ); Modified: trunk/mantisbt/manage_custom_field_update.php =================================================================== --- trunk/mantisbt/manage_custom_field_update.php 2008-06-07 23:16:45 UTC (rev 5337) +++ trunk/mantisbt/manage_custom_field_update.php 2008-06-07 23:32:23 UTC (rev 5338) @@ -27,10 +27,10 @@ require_once( $t_core_path.'custom_field_api.php' ); - helper_ensure_post(); - auth_reauthenticate(); + form_security_validate('manage_custom_field_update'); + access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); $f_field_id = gpc_get_int( 'field_id' ); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |