From: Glenn H. <thr...@ma...> - 2008-06-02 16:11:20
|
Isn't a bad idea to add the CSRF token as part of a visible string in a "get", especially since we allow the use of older ones? Shouldn't we fix the pages that use GET to change the database? ... Glenn Begin forwarded message: > From: nuc...@us... > Date: June 2, 2008 10:52:57 AM GMT-04:00 > To: man...@li... > Subject: [mantisbt-cvs] SF.net SVN: mantisbt: [5309] branches/ > BRANCH_1_1_0/mantisbt > > Revision: 5309 > http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5309&view=rev > Author: nuclear_eclipse > Date: 2008-06-02 07:52:56 -0700 (Mon, 02 Jun 2008) > > Log Message: > ----------- > Enhance Form API to work for both POST forms and GET urls. > > Modified Paths: > -------------- > branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php > branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php > branches/BRANCH_1_1_0/mantisbt/bug_update_page.php > branches/BRANCH_1_1_0/mantisbt/core/form_api.php > branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php > > Modified: branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php > =================================================================== > --- branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php > 2008-06-02 14:49:35 UTC (rev 5308) > +++ branches/BRANCH_1_1_0/mantisbt/bug_change_status_page.php > 2008-06-02 14:52:56 UTC (rev 5309) > @@ -91,7 +91,7 @@ > <br /> > <div align="center"> > <form method="post" action="bug_update.php"> > -<?php echo form_security_token( 'bug_update' ) ?> > +<?php echo form_security_field( 'bug_update' ) ?> > <table class="width75" cellspacing="1"> > > > > Modified: branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php > =================================================================== > --- branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php > 2008-06-02 14:49:35 UTC (rev 5308) > +++ branches/BRANCH_1_1_0/mantisbt/bug_update_advanced_page.php > 2008-06-02 14:52:56 UTC (rev 5309) > @@ -65,7 +65,7 @@ > > <br /> > <form method="post" action="bug_update.php"> > -<?php echo form_security_token( 'bug_update' ) ?> > +<?php echo form_security_field( 'bug_update' ) ?> > <table class="width100" cellspacing="1"> > <tr> > <td class="form-title" colspan="3"> > > Modified: branches/BRANCH_1_1_0/mantisbt/bug_update_page.php > =================================================================== > --- branches/BRANCH_1_1_0/mantisbt/bug_update_page.php 2008-06-02 > 14:49:35 UTC (rev 5308) > +++ branches/BRANCH_1_1_0/mantisbt/bug_update_page.php 2008-06-02 > 14:52:56 UTC (rev 5309) > @@ -65,7 +65,7 @@ > > <br /> > <form method="post" action="bug_update.php"> > -<?php echo form_security_token( 'bug_update' ) ?> > +<?php echo form_security_field( 'bug_update' ) ?> > <table class="width100" cellspacing="1"> > > > > Modified: branches/BRANCH_1_1_0/mantisbt/core/form_api.php > =================================================================== > --- branches/BRANCH_1_1_0/mantisbt/core/form_api.php 2008-06-02 > 14:49:35 UTC (rev 5308) > +++ branches/BRANCH_1_1_0/mantisbt/core/form_api.php 2008-06-02 > 14:52:56 UTC (rev 5309) > @@ -27,10 +27,10 @@ > > /** > * Generate a random security token, prefixed by date, store it in the > - * user's session, and then return a string containing a hidden form > + * user's session, and then return the string to be used as a form > element > * element with the security token as the value. > * @param string Form name > - * @return string Hidden form element to output > + * @return string Security token string > */ > function form_security_token( $p_form_name ) { > $t_tokens = session_get( 'form_security_tokens', array() ); > @@ -49,6 +49,18 @@ > $t_tokens[ $p_form_name ][] = $t_string; > session_set( 'form_security_tokens', $t_tokens ); > > + # The token string > + return $t_string; > +} > + > +/** > + * Get a hidden form element containing a generated form security > token. > + * @param string Form name > + * @return string Hidden form element to output > + */ > +function form_security_field( $p_form_name ) { > + $t_string = form_security_token( $p_form_name ); > + > # Create the form element HTML string for the security token > $t_form_token = $p_form_name . '_token'; > $t_element = '<input type="hidden" name="%s" value="%s"/>'; > @@ -58,6 +70,22 @@ > } > > /** > + * Get a URL parameter containing a generated form security token. > + * @param string Form name > + * @return string Hidden form element to output > + */ > +function form_security_param( $p_form_name ) { > + $t_string = form_security_token( $p_form_name ); > + > + # Create the GET parameter to be used in a URL for a secure link > + $t_form_token = $p_form_name . '_token'; > + $t_param = '&%s=%s'; > + $t_param = sprintf( $t_param, $t_form_token, $t_string ); > + > + return $t_param; > +} > + > +/** > * Validate the security token for the given form name based on tokens > * stored in the user's session. While checking stored tokens, any > that > * are more than 3 days old will be purged. > > Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php > =================================================================== > --- branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php > 2008-06-02 14:49:35 UTC (rev 5308) > +++ branches/BRANCH_1_1_0/mantisbt/manage_user_create_page.php > 2008-06-02 14:52:56 UTC (rev 5309) > @@ -35,7 +35,7 @@ > <br /> > <div align="center"> > <form method="post" action="manage_user_create.php"> > -<?php echo form_security_token( 'manage_user_create' ) ?> > +<?php echo form_security_field( 'manage_user_create' ) ?> > <table class="width50" cellspacing="1"> > <tr> > <td class="form-title" colspan="2"> > > > This was sent by the SourceForge.net collaborative development > platform, the world's largest Open Source development site. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mantisbt-cvs mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-cvs -- Glenn Henshaw Ottawa, Canada Email: thr...@ma... |