From: <gi...@us...> - 2008-06-02 23:46:53
|
Revision: 5319 http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5319&view=rev Author: giallu Date: 2008-06-02 16:46:51 -0700 (Mon, 02 Jun 2008) Log Message: ----------- Add form security tokens to prevent CSRF issues Modified Paths: -------------- branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php branches/BRANCH_1_1_0/mantisbt/manage_user_edit_page.php branches/BRANCH_1_1_0/mantisbt/manage_user_proj_add.php branches/BRANCH_1_1_0/mantisbt/manage_user_reset.php branches/BRANCH_1_1_0/mantisbt/manage_user_update.php Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php 2008-06-02 23:42:56 UTC (rev 5318) +++ branches/BRANCH_1_1_0/mantisbt/manage_user_delete.php 2008-06-02 23:46:51 UTC (rev 5319) @@ -23,8 +23,6 @@ require_once( 'core.php' ); - helper_ensure_post(); - auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); @@ -37,6 +35,8 @@ '<br/>' . lang_get( 'username' ) . ': ' . $t_user['username'], lang_get( 'delete_account_button' ) ); + form_security_validate('manage_user_delete'); + user_delete( $f_user_id ); $t_redirect_url = 'manage_user_page.php'; Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_edit_page.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_edit_page.php 2008-06-02 23:42:56 UTC (rev 5318) +++ branches/BRANCH_1_1_0/mantisbt/manage_user_edit_page.php 2008-06-02 23:46:51 UTC (rev 5319) @@ -44,7 +44,7 @@ <!-- USER INFO --> <div align="center"> <form method="post" action="manage_user_update.php"> -<?php echo form_security_field( 'manage_user' ) ?> +<?php echo form_security_field( 'manage_user_update' ) ?> <table class="width75" cellspacing="1"> <!-- Title --> <tr> @@ -132,6 +132,7 @@ <div class="border-center"> <!-- Reset Button --> <form method="post" action="manage_user_reset.php"> +<?php echo form_security_field( 'manage_user_reset' ) ?> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /> </form> @@ -139,6 +140,8 @@ <!-- Delete Button --> <?php if ( !( ( ADMINISTRATOR <= $t_user['access_level'] ) && ( 1 >= user_count_level( ADMINISTRATOR ) ) ) ) { ?> <form method="post" action="manage_user_delete.php"> +<?php echo form_security_field( 'manage_user_delete' ) ?> + <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'delete_user_button' ) ?>" /> </form> @@ -163,6 +166,7 @@ <br /> <div align="center"> <form method="post" action="manage_user_proj_add.php"> +<?php echo form_security_field( 'manage_user_proj_add' ) ?> <table class="width75" cellspacing="1"> <!-- Title --> <tr> Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_proj_add.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_proj_add.php 2008-06-02 23:42:56 UTC (rev 5318) +++ branches/BRANCH_1_1_0/mantisbt/manage_user_proj_add.php 2008-06-02 23:46:51 UTC (rev 5319) @@ -23,10 +23,10 @@ require_once( 'core.php' ); - helper_ensure_post(); - auth_reauthenticate(); + form_security_validate('manage_user_proj_add'); + $f_user_id = gpc_get_int( 'user_id' ); $f_access_level = gpc_get_int( 'access_level' ); $f_project_id = gpc_get_int_array( 'project_id', array() ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_reset.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_reset.php 2008-06-02 23:42:56 UTC (rev 5318) +++ branches/BRANCH_1_1_0/mantisbt/manage_user_reset.php 2008-06-02 23:46:51 UTC (rev 5319) @@ -23,10 +23,10 @@ require_once( 'core.php' ); - helper_ensure_post(); - auth_reauthenticate(); + form_security_validate('manage_user_reset'); + access_ensure_global_level( config_get( 'manage_user_threshold' ) ); $f_user_id = gpc_get_int( 'user_id' ); Modified: branches/BRANCH_1_1_0/mantisbt/manage_user_update.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/manage_user_update.php 2008-06-02 23:42:56 UTC (rev 5318) +++ branches/BRANCH_1_1_0/mantisbt/manage_user_update.php 2008-06-02 23:46:51 UTC (rev 5319) @@ -29,7 +29,7 @@ auth_reauthenticate(); - form_security_validate('manage_user'); + form_security_validate('manage_user_update'); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |