From 2c4fa7e913afadc68f4d78f57994f0ce9a67787b Mon Sep 17 00:00:00 2001
From: Jan Schneider <jan@horde.org>
Date: Tue, 6 Sep 2016 16:04:43 +0200
Subject: [PATCH] [jan] SECURITY: enable CSRF token for configuration form
 again (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure
 Disclosure program).

---
 framework/Core/lib/Horde/Config/Form.php | 9 ---------
 framework/Core/package.xml               | 4 +++-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/framework/Core/lib/Horde/Config/Form.php b/framework/Core/lib/Horde/Config/Form.php
index 4ba3cc47610..9e8722ca7d3 100644
--- a/framework/Core/lib/Horde/Config/Form.php
+++ b/framework/Core/lib/Horde/Config/Form.php
@@ -14,15 +14,6 @@
  */
 class Horde_Config_Form extends Horde_Form
 {
-    /**
-     * Don't use form tokens for the configuration form - while
-     * generating configuration info, things like the Token system
-     * might not work correctly. This saves some headaches.
-     *
-     * @var boolean
-     */
-    protected $_useFormToken = false;
-
     /**
      * Contains the Horde_Config object that this form represents.
      *
diff --git a/framework/Core/package.xml b/framework/Core/package.xml
index 838e9b5aede..d1c01b95f13 100644
--- a/framework/Core/package.xml
+++ b/framework/Core/package.xml
@@ -39,6 +39,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
  <notes>
+* [jan] SECURITY: enable CSRF token for configuration form again (Reported by Dawid Gounski via Beyond Security&apos;s SecuriTeam Secure Disclosure program).
 * [mjr] Changes to support EAS attachment sync support for Appointment objects.
 * [mjr] Refactor ajax weather location autocompleter and add support for metar data.
 * [jan] Allow to specify user DN search parameters for LDAP with all bind methods (Request #11697, heinz@htl-steyr.ac.at).
@@ -1348,7 +1349,7 @@
    <package>
     <name>Horde_Form</name>
     <channel>pear.horde.org</channel>
-    <min>2.0.0</min>
+    <min>2.0.16</min>
     <max>3.0.0alpha1</max>
     <exclude>3.0.0alpha1</exclude>
    </package>
@@ -4225,6 +4226,7 @@
    <date>2016-08-13</date>
    <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
    <notes>
+* [jan] SECURITY: enable CSRF token for configuration form again (Reported by Dawid Gounski via Beyond Security&apos;s SecuriTeam Secure Disclosure program).
 * [mjr] Changes to support EAS attachment sync support for Appointment objects.
 * [mjr] Refactor ajax weather location autocompleter and add support for metar data.
 * [jan] Allow to specify user DN search parameters for LDAP with all bind methods (Request #11697, heinz@htl-steyr.ac.at).