Menu
▾
▴
[mantisbt-commits] mantisbt.git branch, master-1.1.x, updated. release-1.1.6-21-g7223521
|
From: <gi...@ma...> - 2009-04-13 18:45:50
|
The branch, master-1.1.x has been updated
via 72235214532b42e309b4299a648703c93022f90a (commit)
from 185c60dfef5270a269ba25d6e2ff81b88a9e0f4b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 72235214532b42e309b4299a648703c93022f90a
Author: John Reese <jr...@le...>
Date: Fri Mar 27 14:16:51 2009 -0400
Fix #9999: allow form security to be disabled for sites that use 'bad' proxy servers.
-----------------------------------------------------------------------
Summary of changes:
config_defaults_inc.php | 8 +++++++-
core/form_api.php | 20 ++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletions(-)
-----------------------------------------------------------------------
commit 72235214532b42e309b4299a648703c93022f90a
Author: John Reese <jr...@le...>
Date: Fri Mar 27 14:16:51 2009 -0400
Fix #9999: allow form security to be disabled for sites that use 'bad' proxy servers.
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index bb960f6..b000b38 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -156,6 +156,12 @@
# Session save path. If false, uses default value as set by session handler.
$g_session_save_path = false;
+ # Form security validation.
+ # This protects against Cross-Site Request Forgery, but some proxy servers may
+ # not correctly work with this option enabled because they cache pages incorrectly.
+ # WARNING: Disabling this IS a security risk!!
+ $g_form_security_validation = ON;
+
#############################
# Configuration Settings
#############################
@@ -166,7 +172,7 @@
$g_global_settings = array(
'_table$', 'cookie', '^db_', 'hostname', 'database_name', 'session_handler',
'_path$', 'use_iis', 'language', 'use_javascript', 'display_errors', 'stop_on_errors', 'login_method', '_file$',
- 'anonymous', 'content_expire', 'html_valid_tags', 'custom_headers', 'rss_key_seed'
+ 'anonymous', 'content_expire', 'html_valid_tags', 'custom_headers', 'rss_key_seed', 'form_security_',
);
#############################
diff --git a/core/form_api.php b/core/form_api.php
index 46b9323..a367eff 100644
--- a/core/form_api.php
+++ b/core/form_api.php
@@ -33,6 +33,10 @@
* @return string Security token string
*/
function form_security_token( $p_form_name ) {
+ if ( OFF == config_get_global( 'form_security_validation' ) ) {
+ return;
+ }
+
$t_tokens = session_get( 'form_security_tokens', array() );
# Create a new array for the form name if necessary
@@ -59,6 +63,10 @@ function form_security_token( $p_form_name ) {
* @return string Hidden form element to output
*/
function form_security_field( $p_form_name ) {
+ if ( OFF == config_get_global( 'form_security_validation' ) ) {
+ return '';
+ }
+
$t_string = form_security_token( $p_form_name );
# Create the form element HTML string for the security token
@@ -75,6 +83,10 @@ function form_security_field( $p_form_name ) {
* @return string Hidden form element to output
*/
function form_security_param( $p_form_name ) {
+ if ( OFF == config_get_global( 'form_security_validation' ) ) {
+ return '';
+ }
+
$t_string = form_security_token( $p_form_name );
# Create the GET parameter to be used in a URL for a secure link
@@ -93,6 +105,10 @@ function form_security_param( $p_form_name ) {
* @return boolean Form is valid
*/
function form_security_validate( $p_form_name ) {
+ if ( OFF == config_get_global( 'form_security_validation' ) ) {
+ return;
+ }
+
$t_tokens = session_get( 'form_security_tokens', array() );
# Short-circuit if we don't have any tokens for the given form name
@@ -141,6 +157,10 @@ function form_security_validate( $p_form_name ) {
* @param string Form name
*/
function form_security_purge( $p_form_name ) {
+ if ( OFF == config_get_global( 'form_security_validation' ) ) {
+ return;
+ }
+
$t_tokens = session_get( 'form_security_tokens', array() );
# Short-circuit if we don't have any tokens for the given form name
-----------------------------------------------------------------------
--
Mantis Bug Tracker
|