Skip to content

Commit 12de87f

Browse files
committed
* [Security/CSRF] Fixed a medium risk CSRF (cross-site request forgery) vulnerability reported by High-Tech Bridge (HTB23269). We don't have any evidence of this having taken place in the wild, but we were able to reproduce the results with the proof-of-concept in the advisory. A logged in worker could be tricked into visiting a URL that could perform certain actions in their browser session. Cerb now uses the Synchronizer pattern: a session-based token included with every HTML FORM and Ajax request that is compared to the active session. This verifies that such requests are coming from an existing Cerb page rather than an external source. When a potential CSRF attack is detected, the event is now logged in the PHP log as a warning.
1 parent f911b25 commit 12de87f

File tree

196 files changed

+308
-17
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

196 files changed

+308
-17
lines changed

Diff for: features/cerberusweb.core/api/uri/login.php

+3
Original file line numberDiff line numberDiff line change
@@ -304,6 +304,9 @@ private function _processAuthenticated($worker) { /* @var $worker Model_Worker *
304304

305305
$session->setVisit($visit);
306306

307+
// Generate a CSRF token for the session
308+
$_SESSION['csrf_token'] = CerberusApplication::generatePassword(256);
309+
307310
if(isset($_SESSION['login_post_url'])) {
308311
$redirect_path = explode('/', $_SESSION['login_post_url']);
309312

Diff for: features/cerberusweb.core/templates/configuration/section/acl/edit_role.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
<input type="hidden" name="action" value="saveRole">
55
<input type="hidden" name="id" value="{if !empty($role->id)}{$role->id}{else}0{/if}">
66
<input type="hidden" name="do_delete" value="0">
7+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
78

89
{if $saved}
910
<div class="ui-widget">

Diff for: features/cerberusweb.core/templates/configuration/section/branding/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="branding">
77
<input type="hidden" name="action" value="saveJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>Settings</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/cache/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<input type="hidden" name="a" value="handleSectionAction">
44
<input type="hidden" name="section" value="cache">
55
<input type="hidden" name="action" value="saveCachePeek">
6+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
67

78
{foreach from=$engines item=engine key=engine_id}
89
<fieldset class="peek" style="margin-bottom:0;">

Diff for: features/cerberusweb.core/templates/configuration/section/license/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
<input type="hidden" name="section" value="license">
2929
<input type="hidden" name="action" value="saveJson">
3030
<input type="hidden" name="do_delete" value="0">
31+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
3132

3233
<fieldset>
3334
<legend>Update License</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/localization/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="localization">
77
<input type="hidden" name="action" value="saveJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>Date &amp; Time</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_failed/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="savePeekPopup">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="do_delete" value="0">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<b>storage/mail/fail/{$filename}:</b>
1011
<div>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_failed/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@
2828
<input type="hidden" name="section" value="mail_failed">
2929
<input type="hidden" name="action" value="">
3030
<input type="hidden" name="explore_from" value="0">
31+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
32+
3133
<table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
3234

3335
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/mail_filtering/index.tpl

+3-1
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,13 @@
1111
{/foreach}
1212

1313
{if !$has_atleast_one}
14-
<form action="{devblocks_url}{/devblocks_url}">
14+
<form action="{devblocks_url}{/devblocks_url}" method="POST">
1515
<input type="hidden" name="c" value="config">
1616
<input type="hidden" name="a" value="handleSectionAction">
1717
<input type="hidden" name="section" value="mail_filtering">
1818
<input type="hidden" name="action" value="createDefaultVa">
19+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
20+
1921
<div class="help-box" style="padding:5px;border:0;">
2022
<h1 style="margin-bottom:5px;text-align:left;">Create a global Virtual Attendant</h1>
2123

Diff for: features/cerberusweb.core/templates/configuration/section/mail_from/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="mail_from">
77
<input type="hidden" name="action" value="saveJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<div style="margin-bottom:10px;">
1011
<button type="button" onclick="genericAjaxPopup('peek','c=config&a=handleSectionAction&section=mail_from&action=peek&id=0',null,false,'550');"><span class="glyphicons glyphicons-circle-plus" style="color:rgb(0,180,0);"></span> {'common.add'|devblocks_translate|capitalize}</button>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_from/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
<input type="hidden" name="section" value="mail_from">
55
<input type="hidden" name="action" value="savePeek">
66
<input type="hidden" name="id" value="{$address->address_id}">
7+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
78

89
<fieldset class="peek">
910
<legend>Send worker replies as:</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_html/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
<input type="hidden" name="view_id" value="{$view_id}">
77
{if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
88
<input type="hidden" name="do_delete" value="0">
9+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
910

1011
<div id="mailTemplateTabs">
1112
<ul>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_html/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@
3333
<input type="hidden" name="section" value="html_template">
3434
<input type="hidden" name="action" value="">
3535
<input type="hidden" name="explore_from" value="0">
36+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
37+
3638
<table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
3739

3840
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/mail_import/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="mail_import">
77
<input type="hidden" name="action" value="parseMessageJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<b>Paste a message source:</b>
1011
<div>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_incoming/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="mail_incoming">
77
<input type="hidden" name="action" value="saveJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>{'common.settings'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/mail_relay/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="mail_relay">
77
<input type="hidden" name="action" value="saveJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<p>
1011
The email relay enables workers to respond to messages from external mail applications (e.g. Gmail, mobile phones, Outlook, etc) instead of always requiring them to use Cerb in the web browser.

Diff for: features/cerberusweb.core/templates/configuration/section/mail_routing/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
<input type="hidden" name="a" value="handleSectionAction">
1313
<input type="hidden" name="section" value="mail_routing">
1414
<input type="hidden" name="action" value="saveRouting">
15+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
1516

1617
<b>Which group should receive any unrouted new mail?</b><br>
1718
<select name="default_group_id">

Diff for: features/cerberusweb.core/templates/configuration/section/mail_routing/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
<input type="hidden" name="section" value="mail_routing">
55
<input type="hidden" name="action" value="saveMailRoutingRuleAdd">
66
<input type="hidden" name="id" value="{$rule->id}">
7+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
78

89
<b>Rule Name:</b> (e.g. ProductX Support)<br>
910
<input type="text" name="name" value="{$rule->name}" size="45" style="width:95%;"><br>

Diff for: features/cerberusweb.core/templates/configuration/section/plugin_library/download_popup.tpl

+1-8
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,5 @@
11
<form action="{devblocks_url}{/devblocks_url}" method="POST" id="frmCerb6PluginDownload">
2-
{*
3-
<input type="hidden" name="c" value="config">
4-
<input type="hidden" name="a" value="handleSectionAction">
5-
<input type="hidden" name="section" value="plugin_library">
6-
<input type="hidden" name="action" value="saveDownloadPopup">
7-
<input type="hidden" name="plugin_id" value="{$plugin->id}">
8-
<input type="hidden" name="view_id" value="{$view_id}">
9-
*}
2+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
103

114
<b>{$plugin->name}</b><br>
125
<br>

Diff for: features/cerberusweb.core/templates/configuration/section/plugin_library/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@
2626
<input type="hidden" name="context_id" value="">
2727
<input type="hidden" name="id" value="{$view->id}">
2828
<input type="hidden" name="explore_from" value="0">
29+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
30+
2931
<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
3032

3133
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/plugins/popup.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
<input type="hidden" name="plugin_id" value="{$plugin->id}">
77
<input type="hidden" name="view_id" value="{$view_id}">
88
{if $is_uninstallable}<input type="hidden" name="uninstall" value="0">{/if}
9+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
910

1011
<div>
1112
<b>{'common.status'|devblocks_translate|capitalize}:</b>

Diff for: features/cerberusweb.core/templates/configuration/section/plugins/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@
2626
<input type="hidden" name="context_id" value="">
2727
<input type="hidden" name="id" value="{$view->id}">
2828
<input type="hidden" name="explore_from" value="0">
29+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
30+
2931
<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
3032

3133
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/settings/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="saveTabSettings">
66
<input type="hidden" name="portal" value="{$instance->code}">
77
<input type="hidden" name="do_delete" value="0">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<b>Portal Name:</b> ("Support Portal", "Contact Form", "ProductX FAQ")<br>
1011
<input type="text" name="portal_name" value="{if !empty($instance->name)}{$instance->name}{else}{$instance->manifest->name}{/if}" size="65"><br>

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/add.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
<input type="hidden" name="action" value="saveAddTemplatePeek">
88
<input type="hidden" name="view_id" value="{$view_id}">
99
<input type="hidden" name="portal" value="{$portal}">
10+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
1011

1112
<b>Template:</b><br>
1213
<select name="template">

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/bulk.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="doTemplatesBulkUpdate">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="ids" value="{$ids}">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/export.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="saveExportTemplatesPeek">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="portal" value="{$portal}">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<b>Filename:</b> (.xml)<br>
1011
<input type="text" name="filename" size="45" value="cerb_portal_templates_{$smarty.const.APP_BUILD}.xml"><br>

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/import.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="saveImportTemplatesPeek">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="portal" value="{$portal}">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<b>Import File:</b> (.xml)<br>
1011
<input type="file" name="import_file" size="45"><br>

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
<input type="hidden" name="id" value="{$template->id}">
77
<input type="hidden" name="view_id" value="{$view_id}">
88
<input type="hidden" name="do_delete" value="0">
9+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
910

1011
<b>{$template->path}:</b><br>
1112
<textarea name="content" wrap="off" style="height:300px;width:98%;">{$template->content}</textarea><br>

Diff for: features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@
2020
<input type="hidden" name="view_id" value="{$view->id}">
2121
<input type="hidden" name="c" value="config">
2222
<input type="hidden" name="a" value="">
23+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
24+
2325
<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
2426

2527
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/portals/add.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
<input type="hidden" name="a" value="handleSectionAction">
55
<input type="hidden" name="section" value="portals">
66
<input type="hidden" name="action" value="saveAddPortalPeek">
7+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
78

89
<b>Portal Name:</b> ("Support Portal", "Contact Form", "ProductX FAQ")<br>
910
<input type="text" name="name" value="" style="width:98%;" autofocus="true"><br>

Diff for: features/cerberusweb.core/templates/configuration/section/portals/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@
2121
<input type="hidden" name="view_id" value="{$view->id}">
2222
<input type="hidden" name="c" value="config">
2323
<input type="hidden" name="a" value="">
24+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
25+
2426
<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
2527

2628
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/scheduler/job_edit.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
<input type="hidden" name="section" value="scheduler">
1515
<input type="hidden" name="action" value="saveJobJson">
1616
<input type="hidden" name="id" value="{$job->manifest->id}">
17+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
1718

1819
<label><input type="checkbox" name="enabled" value="1" {if $enabled}checked{/if}> <b>Enabled</b></label>
1920

Diff for: features/cerberusweb.core/templates/configuration/section/search/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
<input type="hidden" name="section" value="search">
55
<input type="hidden" name="action" value="saveSearchSchemaPeek">
66
<input type="hidden" name="schema_extension_id" value="{$schema->id}">
7+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
78

89
{foreach from=$search_engines item=engine key=engine_id}
910
<fieldset class="peek">

Diff for: features/cerberusweb.core/templates/configuration/section/security/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="a" value="handleSectionAction">
66
<input type="hidden" name="section" value="security">
77
<input type="hidden" name="action" value="saveJson">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>Remote Administration</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/sessions/bulk.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="doSessionsBulkUpdate">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="ids" value="{$ids}">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/sessions/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@
2121
<input type="hidden" name="view_id" value="{$view->id}">
2222
<input type="hidden" name="c" value="config">
2323
<input type="hidden" name="a" value="">
24+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
25+
2426
<table cellpadding="3" cellspacing="0" border="0" width="100%" class="worklistBody">
2527

2628
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/storage_attachments/bulk.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="doAttachmentsBulkUpdate">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="ids" value="{$ids}">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset>
1011
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/storage_attachments/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@
2121
<input type="hidden" name="view_id" value="{$view->id}">
2222
<input type="hidden" name="c" value="config">
2323
<input type="hidden" name="a" value="">
24+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
25+
2426
<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
2527

2628
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/storage_content/index.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<form action="{devblocks_url}{/devblocks_url}" method="POST" style="margin-bottom:5px;">
44
<input type="hidden" name="c" value="config">
55
<input type="hidden" name="a" value="">
6+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
67

78
<fieldset>
89
<legend>Database</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/storage_content/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
<input type="hidden" name="section" value="storage_content">
55
<input type="hidden" name="action" value="saveStorageSchemaPeek">
66
<input type="hidden" name="ext_id" value="{$schema->manifest->id}">
7+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
78

89
{$schema->renderConfig()}
910

Diff for: features/cerberusweb.core/templates/configuration/section/storage_profiles/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
<input type="hidden" name="id" value="{$profile->id}">
1515
<input type="hidden" name="view_id" value="{$view_id}">
1616
<input type="hidden" name="do_delete" value="0">
17+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
1718

1819
<b>{'common.name'|devblocks_translate|capitalize}:</b><br>
1920
<input type="text" name="name" value="{$profile->name}" style="width:98%;" autofocus="true"><br>

Diff for: features/cerberusweb.core/templates/configuration/section/storage_profiles/view.tpl

+2
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@
1919
<input type="hidden" name="view_id" value="{$view->id}">
2020
<input type="hidden" name="c" value="config">
2121
<input type="hidden" name="a" value="">
22+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
23+
2224
<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
2325

2426
{* Column Headers *}

Diff for: features/cerberusweb.core/templates/configuration/section/workers/bulk.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
<input type="hidden" name="action" value="doWorkersBulkUpdate">
66
<input type="hidden" name="view_id" value="{$view_id}">
77
<input type="hidden" name="ids" value="{$ids}">
8+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
89

910
<fieldset class="peek">
1011
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/configuration/section/workers/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
<input type="hidden" name="id" value="{$worker->id}">
77
<input type="hidden" name="view_id" value="{$view_id}">
88
<input type="hidden" name="do_delete" value="0">
9+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
910

1011
<fieldset class="peek">
1112
<legend>{'common.properties'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/contacts/addresses/bulk.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<input type="hidden" name="a" value="doAddressBatchUpdate">
44
<input type="hidden" name="view_id" value="{$view_id}">
55
<input type="hidden" name="ids" value="{$ids}">
6+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
67

78
<fieldset class="peek">
89
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

Diff for: features/cerberusweb.core/templates/contacts/addresses/peek.tpl

+1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
<input type="hidden" name="link_context_id" value="{$link_context_id}">
88
{/if}
99
<input type="hidden" name="view_id" value="{$view_id}">
10+
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
1011

1112
<fieldset class="peek">
1213
<legend>{'common.properties'|devblocks_translate}</legend>

0 commit comments

Comments
 (0)