Add form security tokens to prevent CSRF issues

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5363 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Jun 13, 2008 · 9ec4203 · 9ec4203
1 parent a39a077
commit 9ec4203
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 1 deletion.
diff --git a/account_prof_edit_page.php b/account_prof_edit_page.php
@@ -65,6 +65,7 @@
 <br />
 <div align="center">
 <form method="post" action="account_prof_update.php">
+<?php  echo form_security_field( 'profile_update' )?>
 <input type="hidden" name="action" value="update">
 <table class="width75" cellspacing="1">
 <tr>

diff --git a/account_prof_menu_page.php b/account_prof_menu_page.php
@@ -74,6 +74,7 @@
 <br />
 <div align="center">
 <form method="post" action="account_prof_update.php">
+<?php  echo form_security_field( 'profile_update' )?>
 <input type="hidden" name="action" value="add">
 <table class="width75" cellspacing="1">
 <tr>
@@ -142,6 +143,7 @@
 <br />
 <div align="center">
 <form method="post" action="account_prof_update.php">
+<?php  echo form_security_field( 'profile_update' )?>
 <table class="width75" cellspacing="1">
 <tr>
 	<td class="form-title" colspan="2">

diff --git a/account_prof_update.php b/account_prof_update.php
@@ -30,7 +30,7 @@
 
 	require_once( $t_core_path.'profile_api.php' );
 
-	helper_ensure_post();
+	form_security_validate('profile_update');
 
 	auth_ensure_user_authenticated();