Don't generate separate delete token for each attachment

Added optional $p_security_token param to form_security_param() in form_api.php, just as with form_security_field(), to allow passing only the security token, and not the pregenerated form_security_param() string (suggested by @cproensa). Fixes #20142 Signed-off-by: Damien Regad <dregad@mantisbt.org>
mantisbt · Mar 7, 2016 · 90c17a5 · 90c17a5
1 parent 2941f25
commit 90c17a5
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 8 deletions.
diff --git a/core/form_api.php b/core/form_api.php
@@ -119,14 +119,15 @@ function form_security_field( $p_form_name, $p_security_token = null ) {
 /**
  * Get a URL parameter containing a generated form security token.
  * @param string $p_form_name Form name.
+ * @param string $p_security_token Optional security token, previously generated for the same form.
  * @return string Hidden form element to output
  */
-function form_security_param( $p_form_name ) {
+function form_security_param( $p_form_name, $p_security_token = null ) {
 	if( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
 		return '';
 	}
 
-	$t_string = form_security_token( $p_form_name );
+	$t_string = !is_null( $p_security_token ) ? $p_security_token : form_security_token( $p_form_name );
 
 	# Create the GET parameter to be used in a URL for a secure link
 	$t_form_token = $p_form_name . '_token';

diff --git a/core/print_api.php b/core/print_api.php
@@ -1796,10 +1796,11 @@ function get_dropdown( array $p_control_array, $p_control_name, $p_match = '', $
  */
 function print_bug_attachments_list( $p_bug_id ) {
 	$t_attachments = file_get_visible_attachments( $p_bug_id );
+	$t_security_token = form_security_token( 'bug_file_delete' );
 	echo "\n<ul>";
 	foreach ( $t_attachments as $t_attachment ) {
 		echo "\n<li>";
-		print_bug_attachment( $t_attachment );
+		print_bug_attachment( $t_attachment, $t_security_token );
 		echo "\n</li>";
 	}
 	echo "\n</ul>";
@@ -1809,18 +1810,25 @@ function print_bug_attachments_list( $p_bug_id ) {
  * Prints information about a single attachment including download link, file
  * size, upload timestamp and an expandable preview for text and image file
  * types.
+ * If $p_security_token is null, a token will be generated with form_security_token().
+ * If otherwise specified (i.e. not null), the parameter must contain
+ * a valid security token, previously generated by form_security_token().
+ * Use this to avoid performance issues when loading pages having many calls to
+ * this function, such as print_bug_attachments_list().
  * @param array $p_attachment An attachment array from within the array returned by the file_get_visible_attachments() function.
+ * @param mixed  $p_security_token Optional; null (default) or security token string.
+ * @see form_security_token()
  * @return void
  */
-function print_bug_attachment( array $p_attachment ) {
+function print_bug_attachment( array $p_attachment, $p_security_token = null ) {
 	$t_show_attachment_preview = $p_attachment['preview'] && $p_attachment['exists'] && ( $p_attachment['type'] == 'text' || $p_attachment['type'] == 'image' );
 	if( $t_show_attachment_preview ) {
 		$t_collapse_id = 'attachment_preview_' . $p_attachment['id'];
 		global $g_collapse_cache_token;
 		$g_collapse_cache_token[$t_collapse_id] = false;
 		collapse_open( $t_collapse_id );
 	}
-	print_bug_attachment_header( $p_attachment );
+	print_bug_attachment_header( $p_attachment, $p_security_token );
 	if( $t_show_attachment_preview ) {
 		echo lang_get( 'word_separator' );
 		collapse_icon( $t_collapse_id );
@@ -1830,7 +1838,7 @@ function print_bug_attachment( array $p_attachment ) {
 			print_bug_attachment_preview_image( $p_attachment );
 		}
 		collapse_closed( $t_collapse_id );
-		print_bug_attachment_header( $p_attachment );
+		print_bug_attachment_header( $p_attachment, $p_security_token );
 		echo lang_get( 'word_separator' );
 		collapse_icon( $t_collapse_id );
 		collapse_end( $t_collapse_id );
@@ -1840,10 +1848,17 @@ function print_bug_attachment( array $p_attachment ) {
 /**
  * Prints a single textual line of information about an attachment including download link, file
  * size and upload timestamp.
+ * If $p_security_token is null, a token will be generated with form_security_token().
+ * If otherwise specified (i.e. not null), the parameter must contain
+ * a valid security token, previously generated by form_security_token().
+ * Use this to avoid performance issues when loading pages having many calls to
+ * this function, such as print_bug_attachments_list().
  * @param array $p_attachment An attachment array from within the array returned by the file_get_visible_attachments() function.
+ * @param mixed  $p_security_token Optional; null (default) or security token string.
+ * @see form_security_token()
  * @return void
  */
-function print_bug_attachment_header( array $p_attachment ) {
+function print_bug_attachment_header( array $p_attachment, $p_security_token = null ) {
 	echo "\n";
 	if( $p_attachment['exists'] ) {
 		if( $p_attachment['can_download'] ) {
@@ -1871,7 +1886,7 @@ function print_bug_attachment_header( array $p_attachment ) {
 
 	if( $p_attachment['can_delete'] ) {
 		echo lang_get( 'word_separator' ) . '[';
-		print_link( 'bug_file_delete.php?file_id=' . $p_attachment['id'] . form_security_param( 'bug_file_delete' ), lang_get( 'delete_link' ), false, 'small' );
+		print_link( 'bug_file_delete.php?file_id=' . $p_attachment['id'] . form_security_param( 'bug_file_delete', $p_security_token ), lang_get( 'delete_link' ), false, 'small' );
 		echo ']';
 	}
 }