From: <gi...@ma...> - 2009-04-13 18:45:50
|
The branch, master-1.1.x has been updated via 72235214532b42e309b4299a648703c93022f90a (commit) from 185c60dfef5270a269ba25d6e2ff81b88a9e0f4b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 72235214532b42e309b4299a648703c93022f90a Author: John Reese <jr...@le...> Date: Fri Mar 27 14:16:51 2009 -0400 Fix #9999: allow form security to be disabled for sites that use 'bad' proxy servers. ----------------------------------------------------------------------- Summary of changes: config_defaults_inc.php | 8 +++++++- core/form_api.php | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletions(-) ----------------------------------------------------------------------- commit 72235214532b42e309b4299a648703c93022f90a Author: John Reese <jr...@le...> Date: Fri Mar 27 14:16:51 2009 -0400 Fix #9999: allow form security to be disabled for sites that use 'bad' proxy servers. diff --git a/config_defaults_inc.php b/config_defaults_inc.php index bb960f6..b000b38 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -156,6 +156,12 @@ # Session save path. If false, uses default value as set by session handler. $g_session_save_path = false; + # Form security validation. + # This protects against Cross-Site Request Forgery, but some proxy servers may + # not correctly work with this option enabled because they cache pages incorrectly. + # WARNING: Disabling this IS a security risk!! + $g_form_security_validation = ON; + ############################# # Configuration Settings ############################# @@ -166,7 +172,7 @@ $g_global_settings = array( '_table$', 'cookie', '^db_', 'hostname', 'database_name', 'session_handler', '_path$', 'use_iis', 'language', 'use_javascript', 'display_errors', 'stop_on_errors', 'login_method', '_file$', - 'anonymous', 'content_expire', 'html_valid_tags', 'custom_headers', 'rss_key_seed' + 'anonymous', 'content_expire', 'html_valid_tags', 'custom_headers', 'rss_key_seed', 'form_security_', ); ############################# diff --git a/core/form_api.php b/core/form_api.php index 46b9323..a367eff 100644 --- a/core/form_api.php +++ b/core/form_api.php @@ -33,6 +33,10 @@ * @return string Security token string */ function form_security_token( $p_form_name ) { + if ( OFF == config_get_global( 'form_security_validation' ) ) { + return; + } + $t_tokens = session_get( 'form_security_tokens', array() ); # Create a new array for the form name if necessary @@ -59,6 +63,10 @@ function form_security_token( $p_form_name ) { * @return string Hidden form element to output */ function form_security_field( $p_form_name ) { + if ( OFF == config_get_global( 'form_security_validation' ) ) { + return ''; + } + $t_string = form_security_token( $p_form_name ); # Create the form element HTML string for the security token @@ -75,6 +83,10 @@ function form_security_field( $p_form_name ) { * @return string Hidden form element to output */ function form_security_param( $p_form_name ) { + if ( OFF == config_get_global( 'form_security_validation' ) ) { + return ''; + } + $t_string = form_security_token( $p_form_name ); # Create the GET parameter to be used in a URL for a secure link @@ -93,6 +105,10 @@ function form_security_param( $p_form_name ) { * @return boolean Form is valid */ function form_security_validate( $p_form_name ) { + if ( OFF == config_get_global( 'form_security_validation' ) ) { + return; + } + $t_tokens = session_get( 'form_security_tokens', array() ); # Short-circuit if we don't have any tokens for the given form name @@ -141,6 +157,10 @@ function form_security_validate( $p_form_name ) { * @param string Form name */ function form_security_purge( $p_form_name ) { + if ( OFF == config_get_global( 'form_security_validation' ) ) { + return; + } + $t_tokens = session_get( 'form_security_tokens', array() ); # Short-circuit if we don't have any tokens for the given form name ----------------------------------------------------------------------- -- Mantis Bug Tracker |