From c11454db379944b3d95d92c7ca5d425247165d57 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Wed, 21 Jan 2009 14:47:12 +0000
Subject: [PATCH] - Patch #361699 by David Rothstein: prevent CSRF on
 update.php.  Already went into D6.

---
 update.php | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/update.php b/update.php
index 6aec74f6b49..b45f2045c8f 100644
--- a/update.php
+++ b/update.php
@@ -282,7 +282,7 @@ function update_script_selection_form() {
     );
     $form['submit'] = array(
       '#type' => 'submit',
-      '#value' => 'Apply pending updates',
+      '#value' => 'apply pending updates',
     );
   }
   return $form;
@@ -420,6 +420,7 @@ function update_info_page() {
 
   update_task_list('info');
   drupal_set_title('Drupal database update');
+  $token = drupal_get_token('update');
   $output = '<p>Use this utility to update your database whenever a new release of Drupal or a module is installed.</p><p>For more detailed information, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>';
   $output .= "<ol>\n";
   $output .= "<li><strong>Back up your database</strong>. This process will change your database values and in case of emergency you may need to revert to a backup.</li>\n";
@@ -428,7 +429,7 @@ function update_info_page() {
   $output .= "<li>Install your new files in the appropriate location, as described in the handbook.</li>\n";
   $output .= "</ol>\n";
   $output .= "<p>When you have performed the steps above, you may proceed.</p>\n";
-  $output .= '<form method="post" action="update.php?op=selection"><input type="submit" value="Continue" /></form>';
+  $output .= '<form method="post" action="update.php?op=selection&token=' . $token . '"><input type="submit" value="Continue" /></form>';
   $output .= "\n";
   return $output;
 }
@@ -708,16 +709,21 @@ function update_check_requirements() {
   $op = isset($_REQUEST['op']) ? $_REQUEST['op'] : '';
   switch ($op) {
     // update.php ops
-    case 'info':
-      $output = update_info_page();
-      break;
 
     case 'selection':
-      $output = update_selection_page();
-      break;
+      if (isset($_GET['token']) && $_GET['token'] == drupal_get_token('update')) {
+        $output = update_selection_page();
+        break;
+      }
 
-    case 'Apply pending updates':
-      update_batch();
+    case 'apply pending updates':
+      if (isset($_GET['token']) && $_GET['token'] == drupal_get_token('update')) {
+        update_batch();
+        break;
+      }
+
+    case 'info':
+      $output = update_info_page();
       break;
 
     case 'results':