[mantisbt-dev] Fwd: [mantisbt-cvs] SF.net SVN: mantisbt: [5309] branches/BRANCH_1_1_0/mantisbt

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

   Isn't a bad idea to add the CSRF token as part of a visible string  
in a "get", especially since we allow the use of older ones? Shouldn't  
we fix the pages that use GET to change the database?

    ... Glenn

Begin forwarded message:

> From: nuc...@us...
> Date: June 2, 2008 10:52:57 AM GMT-04:00
> To: man...@li...
> Subject: [mantisbt-cvs] SF.net SVN: mantisbt: [5309] branches/ 
> BRANCH_1_1_0/mantisbt
>
> Revision: 5309
>          http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5309&view=rev
> Author:   nuclear_eclipse
> Date:     2008-06-02 07:52:56 -0700 (Mon, 02 Jun 2008)
>
> Log Message:
> -----------
> Enhance Form API to work for both POST forms and GET urls.
>
> Modified Paths:
> --------------
>    branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php
>    branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php
>    branches/BRANCH_1_1_0/mantisbt/bug_update_page.php
>    branches/BRANCH_1_1_0/mantisbt/core/form_api.php
>    branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php
>
> Modified: branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php
> ===================================================================
> --- branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php	 
> 2008-06-02 14:49:35 UTC (rev 5308)
> +++ branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php	 
> 2008-06-02 14:52:56 UTC (rev 5309)
> @@ -91,7 +91,7 @@
> <br />
> <div align="center">
> <form method="post" action="bug_update.php">
> -<?php echo form_security_token( 'bug_update' ) ?>
> +<?php echo form_security_field( 'bug_update' ) ?>
> <table class="width75" cellspacing="1">
>
>
>
> Modified: branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php
> ===================================================================
> --- branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php	 
> 2008-06-02 14:49:35 UTC (rev 5308)
> +++ branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php	 
> 2008-06-02 14:52:56 UTC (rev 5309)
> @@ -65,7 +65,7 @@
>
> <br />
> <form method="post" action="bug_update.php">
> -<?php echo form_security_token( 'bug_update' ) ?>
> +<?php echo form_security_field( 'bug_update' ) ?>
> <table class="width100" cellspacing="1">
> <tr>
> 	<td class="form-title" colspan="3">
>
> Modified: branches/BRANCH_1_1_0/mantisbt/bug_update_page.php
> ===================================================================
> --- branches/BRANCH_1_1_0/mantisbt/bug_update_page.php	2008-06-02  
> 14:49:35 UTC (rev 5308)
> +++ branches/BRANCH_1_1_0/mantisbt/bug_update_page.php	2008-06-02  
> 14:52:56 UTC (rev 5309)
> @@ -65,7 +65,7 @@
>
> <br />
> <form method="post" action="bug_update.php">
> -<?php echo form_security_token( 'bug_update' ) ?>
> +<?php echo form_security_field( 'bug_update' ) ?>
> <table class="width100" cellspacing="1">
>
>
>
> Modified: branches/BRANCH_1_1_0/mantisbt/core/form_api.php
> ===================================================================
> --- branches/BRANCH_1_1_0/mantisbt/core/form_api.php	2008-06-02  
> 14:49:35 UTC (rev 5308)
> +++ branches/BRANCH_1_1_0/mantisbt/core/form_api.php	2008-06-02  
> 14:52:56 UTC (rev 5309)
> @@ -27,10 +27,10 @@
>
> /**
>  * Generate a random security token, prefixed by date, store it in the
> - * user's session, and then return a string containing a hidden form
> + * user's session, and then return the string to be used as a form  
> element
>  * element with the security token as the value.
>  * @param string Form name
> - * @return string Hidden form element to output
> + * @return string Security token string
>  */
> function form_security_token( $p_form_name ) {
> 	$t_tokens = session_get( 'form_security_tokens', array() );
> @@ -49,6 +49,18 @@
> 	$t_tokens[ $p_form_name ][] = $t_string;
> 	session_set( 'form_security_tokens', $t_tokens );
>
> +	# The token string
> +	return $t_string;
> +}
> +
> +/**
> + * Get a hidden form element containing a generated form security  
> token.
> + * @param string Form name
> + * @return string Hidden form element to output
> + */
> +function form_security_field( $p_form_name ) {
> +	$t_string = form_security_token( $p_form_name );
> +
> 	# Create the form element HTML string for the security token
> 	$t_form_token = $p_form_name . '_token';
> 	$t_element = '<input type="hidden" name="%s" value="%s"/>';
> @@ -58,6 +70,22 @@
> }
>
> /**
> + * Get a URL parameter containing a generated form security token.
> + * @param string Form name
> + * @return string Hidden form element to output
> + */
> +function form_security_param( $p_form_name ) {
> +	$t_string = form_security_token( $p_form_name );
> +
> +	# Create the GET parameter to be used in a URL for a secure link
> +	$t_form_token = $p_form_name . '_token';
> +	$t_param = '&%s=%s';
> +	$t_param = sprintf( $t_param, $t_form_token, $t_string );
> +
> +	return $t_param;
> +}
> +
> +/**
>  * Validate the security token for the given form name based on tokens
>  * stored in the user's session.  While checking stored tokens, any  
> that
>  * are more than 3 days old will be purged.
>
> Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php
> ===================================================================
> --- branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php	 
> 2008-06-02 14:49:35 UTC (rev 5308)
> +++ branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php	 
> 2008-06-02 14:52:56 UTC (rev 5309)
> @@ -35,7 +35,7 @@
> <br />
> <div align="center">
> <form method="post" action="manage_user_create.php">
> -<?php echo form_security_token( 'manage_user_create' ) ?>
> +<?php echo form_security_field( 'manage_user_create' ) ?>
> <table class="width50" cellspacing="1">
> <tr>
> 	<td class="form-title" colspan="2">
>
>
> This was sent by the SourceForge.net collaborative development  
> platform, the world's largest Open Source development site.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mantisbt-cvs mailing list
> man...@li...
> https://lists.sourceforge.net/lists/listinfo/mantisbt-cvs

-- 
Glenn Henshaw              Ottawa, Canada
Email: thr...@ma...