Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 305711 Details for
Bug 446926
CVE-2008-2276 mantis: multiple CSRF issues
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Fix applied upstream
mantis-CVE-2008-2276.diff (text/plain), 60.74 KB, created by
Tomas Hoger
on 2008-05-16 17:09:40 UTC
(
hide
)
Description:
Fix applied upstream
Filename:
MIME Type:
Creator:
Tomas Hoger
Created:
2008-05-16 17:09:40 UTC
Size:
60.74 KB
patch
obsolete
>Mantis 1.1.1 CSRF - CVE-2008-2276 > >svn diff -c 5132 https://mantisbt.svn.sourceforge.net/svnroot/mantisbt > >http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5132 >http://www.mantisbt.org/bugs/view.php?id=8995 >http://secunia.com/advisories/30270 > >Index: trunk/mantisbt/news_delete.php >=================================================================== >--- trunk/mantisbt/news_delete.php (revision 5131) >+++ trunk/mantisbt/news_delete.php (revision 5132) >@@ -20,15 +20,15 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'news_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_news_id = gpc_get_int( 'news_id' ); > > $row = news_get_row( $f_news_id ); >Index: trunk/mantisbt/print_all_bug_options_reset.php >=================================================================== >--- trunk/mantisbt/print_all_bug_options_reset.php (revision 5131) >+++ trunk/mantisbt/print_all_bug_options_reset.php (revision 5132) >@@ -30,6 +30,8 @@ > require_once( $t_core_path.'current_user_api.php' ); > require( 'print_all_bug_options_inc.php' ); > >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > # protected account check >Index: trunk/mantisbt/print_all_bug_options_update.php >=================================================================== >--- trunk/mantisbt/print_all_bug_options_update.php (revision 5131) >+++ trunk/mantisbt/print_all_bug_options_update.php (revision 5132) >@@ -20,15 +20,16 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Updates printing prefs then redirect to print_all_bug_page_page.php >-?> >-<?php require_once( 'core.php' ) ?> >-<?php require( 'print_all_bug_options_inc.php' ) ?> > >-<?php auth_ensure_user_authenticated() ?> >-<?php >+ require_once( 'core.php' ); >+ require( 'print_all_bug_options_inc.php' ); >+ >+ helper_ensure_post(); >+ >+ auth_ensure_user_authenticated(); >+ > $f_user_id = gpc_get_int( 'user_id' ); > $f_redirect_url = gpc_get_string( 'redirect_url' ); > >Index: trunk/mantisbt/bug_reminder.php >=================================================================== >--- trunk/mantisbt/bug_reminder.php (revision 5131) >+++ trunk/mantisbt/bug_reminder.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,11 +20,9 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # This page allows an authorized user to send a reminder by email to another user >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); >@@ -32,8 +30,9 @@ > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'email_api.php' ); > require_once( $t_core_path.'bugnote_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > $f_to = gpc_get_int_array( 'to' ); > $f_body = gpc_get_string( 'body' ); >Index: trunk/mantisbt/manage_proj_cat_copy.php >=================================================================== >--- trunk/mantisbt/manage_proj_cat_copy.php (revision 5131) >+++ trunk/mantisbt/manage_proj_cat_copy.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'category_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/bug_relationship_add.php >=================================================================== >--- trunk/mantisbt/bug_relationship_add.php (revision 5131) >+++ trunk/mantisbt/bug_relationship_add.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -29,6 +29,8 @@ > $t_core_path = config_get( 'core_path' ); > require_once( $t_core_path . 'relationship_api.php' ); > >+ helper_ensure_post(); >+ > $f_rel_type = gpc_get_int( 'rel_type' ); > $f_src_bug_id = gpc_get_int( 'src_bug_id' ); > $f_dest_bug_id_string = gpc_get_string( 'dest_bug_id' ); >Index: trunk/mantisbt/manage_plugin_update.php >=================================================================== >--- trunk/mantisbt/manage_plugin_update.php (revision 5131) >+++ trunk/mantisbt/manage_plugin_update.php (revision 5132) >@@ -24,6 +24,8 @@ > define( 'PLUGINS_DISABLED', true ); > require_once( 'core.php' ); > >+helper_ensure_post(); >+ > auth_reauthenticate(); > access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); > >Index: trunk/mantisbt/manage_custom_field_create.php >=================================================================== >--- trunk/mantisbt/manage_custom_field_create.php (revision 5131) >+++ trunk/mantisbt/manage_custom_field_create.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'custom_field_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); >Index: trunk/mantisbt/manage_proj_custom_field_copy.php >=================================================================== >--- trunk/mantisbt/manage_proj_custom_field_copy.php (revision 5131) >+++ trunk/mantisbt/manage_proj_custom_field_copy.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once('core.php'); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/manage_proj_user_copy.php >=================================================================== >--- trunk/mantisbt/manage_proj_user_copy.php (revision 5131) >+++ trunk/mantisbt/manage_proj_user_copy.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/manage_plugin_upgrade.php >=================================================================== >--- trunk/mantisbt/manage_plugin_upgrade.php (revision 5131) >+++ trunk/mantisbt/manage_plugin_upgrade.php (revision 5132) >@@ -24,6 +24,8 @@ > define( 'PLUGINS_DISABLED', true ); > require_once( 'core.php' ); > >+helper_ensure_post(); >+ > auth_reauthenticate(); > access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); > >Index: trunk/mantisbt/tag_update.php >=================================================================== >--- trunk/mantisbt/tag_update.php (revision 5131) >+++ trunk/mantisbt/tag_update.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path . 'tag_api.php' ); > >+ helper_ensure_post(); >+ > compress_enable(); > > $f_tag_id = gpc_get_int( 'tag_id' ); >Index: trunk/mantisbt/bug_relationship_delete.php >=================================================================== >--- trunk/mantisbt/bug_relationship_delete.php (revision 5131) >+++ trunk/mantisbt/bug_relationship_delete.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -36,6 +36,8 @@ > $t_core_path = config_get( 'core_path' ); > require_once( $t_core_path . 'relationship_api.php' ); > >+ helper_ensure_post(); >+ > $f_rel_id = gpc_get_int( 'rel_id' ); > $f_bug_id = gpc_get_int( 'bug_id' ); > >Index: trunk/mantisbt/account_sponsor_update.php >=================================================================== >--- trunk/mantisbt/account_sponsor_update.php (revision 5131) >+++ trunk/mantisbt/account_sponsor_update.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,23 +20,21 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >- # This page updates a user's information >+ >+ # This page updates a user's sponsorships > # If an account is protected then changes are forbidden > # The page gets redirected back to account_page.php >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'email_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); >-?> >-<?php >+ > $f_bug_list = gpc_get_string( 'buglist', '' ); > $t_bug_list = explode( ',', $f_bug_list ); > >Index: trunk/mantisbt/manage_proj_custom_field_update.php >=================================================================== >--- trunk/mantisbt/manage_proj_custom_field_update.php (revision 5131) >+++ trunk/mantisbt/manage_proj_custom_field_update.php (revision 5132) >@@ -20,15 +20,15 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'custom_field_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_field_id = gpc_get_int( 'field_id' ); > $f_project_id = gpc_get_int( 'project_id' ); > $f_sequence = gpc_get_int( 'sequence' ); >Index: trunk/mantisbt/account_prof_update.php >=================================================================== >--- trunk/mantisbt/account_prof_update.php (revision 5131) >+++ trunk/mantisbt/account_prof_update.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -30,6 +30,8 @@ > > require_once( $t_core_path.'profile_api.php' ); > >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > current_user_ensure_unprotected(); >Index: trunk/mantisbt/bugnote_delete.php >=================================================================== >--- trunk/mantisbt/bugnote_delete.php (revision 5131) >+++ trunk/mantisbt/bugnote_delete.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,12 +20,10 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Remove the bugnote and bugnote text and redirect back to > # the viewing page >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); >@@ -33,10 +31,11 @@ > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'bugnote_api.php' ); > require_once( $t_core_path.'current_user_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bugnote_id = gpc_get_int( 'bugnote_id' ); >- >+ > $t_bug_id = bugnote_get_field( $f_bugnote_id, 'bug_id' ); > > $t_bug = bug_get( $t_bug_id, true ); >Index: trunk/mantisbt/lang/strings_english.txt >=================================================================== >--- trunk/mantisbt/lang/strings_english.txt (revision 5131) >+++ trunk/mantisbt/lang/strings_english.txt (revision 5132) >@@ -313,6 +313,7 @@ > $MANTIS_ERROR[ERROR_PLUGIN_PAGE_NOT_FOUND] = 'Plugin page not found.'; > $MANTIS_ERROR[ERROR_COLUMNS_DUPLICATE] = 'Field \'%s\' contains duplcate column \'%s\'.'; > $MANTIS_ERROR[ERROR_COLUMNS_INVALID] = 'Field \'%s\' contains invalid field \'%s\''; >+$MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.'; > > $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; > $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; >Index: trunk/mantisbt/manage_plugin_install.php >=================================================================== >--- trunk/mantisbt/manage_plugin_install.php (revision 5131) >+++ trunk/mantisbt/manage_plugin_install.php (revision 5132) >@@ -24,6 +24,8 @@ > define( 'PLUGINS_DISABLED', true ); > require_once( 'core.php' ); > >+helper_ensure_post(); >+ > auth_reauthenticate(); > access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); > >Index: trunk/mantisbt/manage_proj_delete.php >=================================================================== >--- trunk/mantisbt/manage_proj_delete.php (revision 5131) >+++ trunk/mantisbt/manage_proj_delete.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/bugnote_add.php >=================================================================== >--- trunk/mantisbt/bugnote_add.php (revision 5131) >+++ trunk/mantisbt/bugnote_add.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,8 +20,7 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Insert the bugnote into the database then redirect to the bug page > > require_once( 'core.php' ); >@@ -31,6 +30,8 @@ > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'bugnote_api.php' ); > >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > $f_private = gpc_get_bool( 'private' ); > $f_time_tracking = gpc_get_string( 'time_tracking', '0:00' ); >Index: trunk/mantisbt/news_update.php >=================================================================== >--- trunk/mantisbt/news_update.php (revision 5131) >+++ trunk/mantisbt/news_update.php (revision 5132) >@@ -20,8 +20,7 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); >@@ -29,8 +28,9 @@ > require_once( $t_core_path.'news_api.php' ); > require_once( $t_core_path.'string_api.php' ); > require_once( $t_core_path.'print_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_news_id = gpc_get_int( 'news_id' ); > $f_project_id = gpc_get_int( 'project_id' ); > $f_view_state = gpc_get_int( 'view_state' ); >Index: trunk/mantisbt/manage_proj_cat_add.php >=================================================================== >--- trunk/mantisbt/manage_proj_cat_add.php (revision 5131) >+++ trunk/mantisbt/manage_proj_cat_add.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'category_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/query_store.php >=================================================================== >--- trunk/mantisbt/query_store.php (revision 5131) >+++ trunk/mantisbt/query_store.php (revision 5132) >@@ -28,6 +28,8 @@ > require_once( $t_core_path.'string_api.php' ); > require_once( $t_core_path.'date_api.php' ); > >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > compress_enable(); > >Index: trunk/mantisbt/bug_file_add.php >=================================================================== >--- trunk/mantisbt/bug_file_add.php (revision 5131) >+++ trunk/mantisbt/bug_file_add.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,18 +20,17 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Add file to a bug and then view the bug >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'file_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id', -1 ); > $f_file = gpc_get_file( 'file', -1 ); > >Index: trunk/mantisbt/lost_pwd.php >=================================================================== >--- trunk/mantisbt/lost_pwd.php (revision 5131) >+++ trunk/mantisbt/lost_pwd.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -27,6 +27,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > # lost password feature disabled or reset password via email disabled -> stop here! > if( OFF == config_get( 'lost_password_feature' ) || > OFF == config_get( 'send_reset_password' ) || >Index: trunk/mantisbt/manage_plugin_uninstall.php >=================================================================== >--- trunk/mantisbt/manage_plugin_uninstall.php (revision 5131) >+++ trunk/mantisbt/manage_plugin_uninstall.php (revision 5132) >@@ -24,6 +24,8 @@ > define( 'PLUGINS_DISABLED', true ); > require_once( 'core.php' ); > >+helper_ensure_post(); >+ > auth_reauthenticate(); > access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); > >Index: trunk/mantisbt/manage_proj_custom_field_add_existing.php >=================================================================== >--- trunk/mantisbt/manage_proj_custom_field_add_existing.php (revision 5131) >+++ trunk/mantisbt/manage_proj_custom_field_add_existing.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'custom_field_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_field_id = gpc_get_int( 'field_id' ); >Index: trunk/mantisbt/bug_assign_reporter.php >=================================================================== >--- trunk/mantisbt/bug_assign_reporter.php (revision 5131) >+++ trunk/mantisbt/bug_assign_reporter.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,18 +20,17 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Assign bug to user then redirect to viewing page >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'bug_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > > access_ensure_bug_level( config_get( 'update_bug_threshold' ), $f_bug_id ); >Index: trunk/mantisbt/bugnote_update.php >=================================================================== >--- trunk/mantisbt/bugnote_update.php (revision 5131) >+++ trunk/mantisbt/bugnote_update.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,11 +20,9 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Update bugnote data then redirect to the appropriate viewing page >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); >@@ -32,8 +30,9 @@ > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'bugnote_api.php' ); > require_once( $t_core_path.'current_user_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bugnote_id = gpc_get_int( 'bugnote_id' ); > $f_bugnote_text = gpc_get_string( 'bugnote_text', '' ); > $f_time_tracking = gpc_get_string( 'time_tracking', '0:00' ); >Index: trunk/mantisbt/manage_custom_field_delete.php >=================================================================== >--- trunk/mantisbt/manage_custom_field_delete.php (revision 5131) >+++ trunk/mantisbt/manage_custom_field_delete.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'custom_field_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); >Index: trunk/mantisbt/proj_doc_add.php >=================================================================== >--- trunk/mantisbt/proj_doc_add.php (revision 5131) >+++ trunk/mantisbt/proj_doc_add.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'file_api.php' ); > >+ helper_ensure_post(); >+ > # Check if project documentation feature is enabled. > if ( OFF == config_get( 'enable_project_documentation' ) ) { > access_denied(); >Index: trunk/mantisbt/manage_user_create.php >=================================================================== >--- trunk/mantisbt/manage_user_create.php (revision 5131) >+++ trunk/mantisbt/manage_user_create.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'email_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_user_threshold' ) ); >Index: trunk/mantisbt/manage_config_workflow_set.php >=================================================================== >--- trunk/mantisbt/manage_config_workflow_set.php (revision 5131) >+++ trunk/mantisbt/manage_config_workflow_set.php (revision 5132) >@@ -26,6 +26,8 @@ > $t_core_path = config_get( 'core_path' ); > require_once( $t_core_path.'email_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); >Index: trunk/mantisbt/manage_proj_update.php >=================================================================== >--- trunk/mantisbt/manage_proj_update.php (revision 5131) >+++ trunk/mantisbt/manage_proj_update.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/manage_custom_field_proj_add.php >=================================================================== >--- trunk/mantisbt/manage_custom_field_proj_add.php (revision 5131) >+++ trunk/mantisbt/manage_custom_field_proj_add.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_field_id = gpc_get_int( 'field_id' ); >Index: trunk/mantisbt/query_delete.php >=================================================================== >--- trunk/mantisbt/query_delete.php (revision 5131) >+++ trunk/mantisbt/query_delete.php (revision 5132) >@@ -28,6 +28,8 @@ > require_once( $t_core_path.'string_api.php' ); > require_once( $t_core_path.'date_api.php' ); > >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > compress_enable(); > >Index: trunk/mantisbt/manage_proj_user_add.php >=================================================================== >--- trunk/mantisbt/manage_proj_user_add.php (revision 5131) >+++ trunk/mantisbt/manage_proj_user_add.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/account_prof_add.php >=================================================================== >--- trunk/mantisbt/account_prof_add.php (revision 5131) >+++ trunk/mantisbt/account_prof_add.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,23 +20,21 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # This file adds a new profile and redirects to account_proj_menu_page.php >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'profile_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > current_user_ensure_unprotected(); >-?> >-<?php >+ > $f_platform = gpc_get_string( 'platform' ); > $f_os = gpc_get_string( 'os' ); > $f_os_build = gpc_get_string( 'os_build' ); >Index: trunk/mantisbt/manage_proj_cat_delete.php >=================================================================== >--- trunk/mantisbt/manage_proj_cat_delete.php (revision 5131) >+++ trunk/mantisbt/manage_proj_cat_delete.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'category_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_category_id = gpc_get_string( 'id' ); >Index: trunk/mantisbt/manage_proj_custom_field_remove.php >=================================================================== >--- trunk/mantisbt/manage_proj_custom_field_remove.php (revision 5131) >+++ trunk/mantisbt/manage_proj_custom_field_remove.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'custom_field_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_field_id = gpc_get_int( 'field_id' ); >Index: trunk/mantisbt/tag_attach.php >=================================================================== >--- trunk/mantisbt/tag_attach.php (revision 5131) >+++ trunk/mantisbt/tag_attach.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path . 'tag_api.php' ); > >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > $f_tag_select = gpc_get_int( 'tag_select' ); > $f_tag_string = gpc_get_string( 'tag_string' ); >Index: trunk/mantisbt/signup.php >=================================================================== >--- trunk/mantisbt/signup.php (revision 5131) >+++ trunk/mantisbt/signup.php (revision 5132) >@@ -28,6 +28,8 @@ > require_once( $t_core_path.'email_api.php' ); > require_once( $t_core_path . 'disposable' . DIRECTORY_SEPARATOR . 'disposable.php' ); > >+ helper_ensure_post(); >+ > $f_username = strip_tags( gpc_get_string( 'username' ) ); > $f_email = strip_tags( gpc_get_string( 'email' ) ); > $f_captcha = gpc_get_string( 'captcha', '' ); >Index: trunk/mantisbt/bug_actiongroup_ext.php >=================================================================== >--- trunk/mantisbt/bug_actiongroup_ext.php (revision 5131) >+++ trunk/mantisbt/bug_actiongroup_ext.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -28,19 +28,21 @@ > require_once( $t_core_path . 'bug_api.php' ); > require_once( $t_core_path . 'bug_group_action_api.php' ); > >- auth_ensure_user_authenticated(); >+ helper_ensure_post(); > >+ auth_ensure_user_authenticated(); >+ > helper_begin_long_process(); > >- $f_action = gpc_get_string( 'action' ); >+ $f_action = gpc_get_string( 'action' ); > $f_bug_arr = gpc_get_int_array( 'bug_arr', array() ); > >- $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php'; >+ $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php'; > >- require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file ); >- >- # group bugs by project >- $t_projects_bugs = array(); >+ require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file ); >+ >+ # group bugs by project >+ $t_projects_bugs = array(); > foreach( $f_bug_arr as $t_bug_id ) { > bug_ensure_exists( $t_bug_id ); > $t_bug = bug_get( $t_bug_id, true ); >Index: trunk/mantisbt/bug_monitor.php >=================================================================== >--- trunk/mantisbt/bug_monitor.php (revision 5131) >+++ trunk/mantisbt/bug_monitor.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,18 +20,17 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # This file turns monitoring on or off for a bug for the current user >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'bug_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > $t_bug = bug_get( $f_bug_id, true ); > >Index: trunk/mantisbt/manage_custom_field_update.php >=================================================================== >--- trunk/mantisbt/manage_custom_field_update.php (revision 5131) >+++ trunk/mantisbt/manage_custom_field_update.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'custom_field_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); >Index: trunk/mantisbt/manage_config_columns_set.php >=================================================================== >--- trunk/mantisbt/manage_config_columns_set.php (revision 5131) >+++ trunk/mantisbt/manage_config_columns_set.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -28,6 +28,8 @@ > require_once( $t_core_path . 'columns_api.php' ); > require_once( $t_core_path . 'gpc_api.php' ); > >+ helper_ensure_post(); >+ > # @@@ access_ensure_project_level( config_get( 'manage_project_threshold' ) ); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/manage_user_reset.php >=================================================================== >--- trunk/mantisbt/manage_user_reset.php (revision 5131) >+++ trunk/mantisbt/manage_user_reset.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_user_threshold' ) ); >Index: trunk/mantisbt/manage_proj_update_children.php >=================================================================== >--- trunk/mantisbt/manage_proj_update_children.php (revision 5131) >+++ trunk/mantisbt/manage_proj_update_children.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( $t_core_path.'project_hierarchy_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/bug_file_delete.php >=================================================================== >--- trunk/mantisbt/bug_file_delete.php (revision 5131) >+++ trunk/mantisbt/bug_file_delete.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -29,6 +29,8 @@ > > require_once( $t_core_path.'file_api.php' ); > >+ helper_ensure_post(); >+ > $f_file_id = gpc_get_int( 'file_id' ); > > $t_bug_id = file_get_field( $f_file_id, 'bug_id' ); >Index: trunk/mantisbt/manage_config_email_set.php >=================================================================== >--- trunk/mantisbt/manage_config_email_set.php (revision 5131) >+++ trunk/mantisbt/manage_config_email_set.php (revision 5132) >@@ -26,6 +26,8 @@ > $t_core_path = config_get( 'core_path' ); > require_once( $t_core_path.'email_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); >Index: trunk/mantisbt/manage_user_prune.php >=================================================================== >--- trunk/mantisbt/manage_user_prune.php (revision 5131) >+++ trunk/mantisbt/manage_user_prune.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_user_threshold' ) ); >Index: trunk/mantisbt/manage_proj_ver_add.php >=================================================================== >--- trunk/mantisbt/manage_proj_ver_add.php (revision 5131) >+++ trunk/mantisbt/manage_proj_ver_add.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'version_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/manage_user_delete.php >=================================================================== >--- trunk/mantisbt/manage_user_delete.php (revision 5131) >+++ trunk/mantisbt/manage_user_delete.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_user_threshold' ) ); >Index: trunk/mantisbt/manage_proj_cat_update.php >=================================================================== >--- trunk/mantisbt/manage_proj_cat_update.php (revision 5131) >+++ trunk/mantisbt/manage_proj_cat_update.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'category_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_category_id = gpc_get_int( 'category_id' ); >Index: trunk/mantisbt/account_delete.php >=================================================================== >--- trunk/mantisbt/account_delete.php (revision 5131) >+++ trunk/mantisbt/account_delete.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -43,6 +43,8 @@ > # (none) > > #============ Permissions ============ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > current_user_ensure_unprotected(); >Index: trunk/mantisbt/manage_proj_ver_delete.php >=================================================================== >--- trunk/mantisbt/manage_proj_ver_delete.php (revision 5131) >+++ trunk/mantisbt/manage_proj_ver_delete.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'version_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_version_id = gpc_get_int( 'version_id' ); >Index: trunk/mantisbt/manage_proj_user_remove.php >=================================================================== >--- trunk/mantisbt/manage_proj_user_remove.php (revision 5131) >+++ trunk/mantisbt/manage_proj_user_remove.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/bug_delete.php >=================================================================== >--- trunk/mantisbt/bug_delete.php (revision 5131) >+++ trunk/mantisbt/bug_delete.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -29,6 +29,8 @@ > > $f_bug_id = gpc_get_int( 'bug_id' ); > >+ helper_ensure_post(); >+ > access_ensure_bug_level( config_get( 'delete_bug_threshold' ), $f_bug_id ); > > $t_bug = bug_get( $f_bug_id, true ); >Index: trunk/mantisbt/manage_user_proj_delete.php >=================================================================== >--- trunk/mantisbt/manage_user_proj_delete.php (revision 5131) >+++ trunk/mantisbt/manage_user_proj_delete.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/adm_config_delete.php >=================================================================== >--- trunk/mantisbt/adm_config_delete.php (revision 5131) >+++ trunk/mantisbt/adm_config_delete.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > $f_user_id = gpc_get_int( 'user_id' ); > $f_project_id = gpc_get_int( 'project_id' ); > $f_config_option = gpc_get_string( 'config_option' ); >Index: trunk/mantisbt/proj_doc_delete.php >=================================================================== >--- trunk/mantisbt/proj_doc_delete.php (revision 5131) >+++ trunk/mantisbt/proj_doc_delete.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > # Check if project documentation feature is enabled. > if ( OFF == config_get( 'enable_project_documentation' ) ) { > access_denied(); >Index: trunk/mantisbt/tag_detach.php >=================================================================== >--- trunk/mantisbt/tag_detach.php (revision 5131) >+++ trunk/mantisbt/tag_detach.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path . 'tag_api.php' ); > >+ helper_ensure_post(); >+ > $f_tag_id = gpc_get_int( 'tag_id' ); > $f_bug_id = gpc_get_int( 'bug_id' ); > >Index: trunk/mantisbt/news_add.php >=================================================================== >--- trunk/mantisbt/news_add.php (revision 5131) >+++ trunk/mantisbt/news_add.php (revision 5132) >@@ -20,16 +20,16 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'news_api.php' ); > require_once( $t_core_path.'print_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > access_ensure_project_level( config_get( 'manage_news_threshold' ) ); > > $f_view_state = gpc_get_int( 'view_state' ); >Index: trunk/mantisbt/manage_user_update.php >=================================================================== >--- trunk/mantisbt/manage_user_update.php (revision 5131) >+++ trunk/mantisbt/manage_user_update.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'email_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'manage_user_threshold' ) ); >Index: trunk/mantisbt/account_prefs_update.php >=================================================================== >--- trunk/mantisbt/account_prefs_update.php (revision 5131) >+++ trunk/mantisbt/account_prefs_update.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,21 +20,19 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Updates prefs then redirect to account_prefs_page.php3 >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'user_pref_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); >-?> >-<?php >+ > $f_user_id = gpc_get_int( 'user_id' ); > $f_redirect_url = gpc_get_string( 'redirect_url' ); > >Index: trunk/mantisbt/account_update.php >=================================================================== >--- trunk/mantisbt/account_update.php (revision 5131) >+++ trunk/mantisbt/account_update.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,25 +20,23 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # This page updates a user's information > # If an account is protected then changes are forbidden > # The page gets redirected back to account_page.php >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'email_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > current_user_ensure_unprotected(); >-?> >-<?php >+ > $f_email = gpc_get_string( 'email', '' ); > $f_realname = gpc_get_string( 'realname', '' ); > $f_password = gpc_get_string( 'password', '' ); >Index: trunk/mantisbt/manage_proj_ver_update.php >=================================================================== >--- trunk/mantisbt/manage_proj_ver_update.php (revision 5131) >+++ trunk/mantisbt/manage_proj_ver_update.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'version_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_version_id = gpc_get_int( 'version_id' ); >Index: trunk/mantisbt/core/helper_api.php >=================================================================== >--- trunk/mantisbt/core/helper_api.php (revision 5131) >+++ trunk/mantisbt/core/helper_api.php (revision 5132) >@@ -502,4 +502,16 @@ > > return (int)$t_min; > } >+ >+ # >+ #------------------------------------------------- >+ # check access method is POST, return if true, else call error handler >+ function helper_ensure_post() >+ { >+ if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( strtoupper( $_SERVER['REQUEST_METHOD'] ) != 'POST' ) ) { >+ trigger_error( ERROR_INVALID_REQUEST_METHOD, ERROR ); >+ } >+ >+ } >+ > ?> >Index: trunk/mantisbt/core/constant_inc.php >=================================================================== >--- trunk/mantisbt/core/constant_inc.php (revision 5131) >+++ trunk/mantisbt/core/constant_inc.php (revision 5132) >@@ -194,6 +194,7 @@ > define( 'ERROR_FTP_CONNECT_ERROR', 16 ); > define( 'ERROR_HANDLER_ACCESS_TOO_LOW', 17 ); > define( 'ERROR_PAGE_REDIRECTION', 18 ); >+ define( 'ERROR_INVALID_REQUEST_METHOD', 19 ); > > # ERROR_CONFIG_* > define( 'ERROR_CONFIG_OPT_NOT_FOUND', 100 ); >Index: trunk/mantisbt/manage_config_revert.php >=================================================================== >--- trunk/mantisbt/manage_config_revert.php (revision 5131) >+++ trunk/mantisbt/manage_config_revert.php (revision 5132) >@@ -25,6 +25,8 @@ > > $t_core_path = config_get( 'core_path' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project', 0 ); >Index: trunk/mantisbt/bug_report.php >=================================================================== >--- trunk/mantisbt/bug_report.php (revision 5131) >+++ trunk/mantisbt/bug_report.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -32,6 +32,8 @@ > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'custom_field_api.php' ); > >+ helper_ensure_post(); >+ > access_ensure_project_level( config_get('report_bug_threshold' ) ); > > $t_bug_data = new BugData; >Index: trunk/mantisbt/bug_update.php >=================================================================== >--- trunk/mantisbt/bug_update.php (revision 5131) >+++ trunk/mantisbt/bug_update.php (revision 5132) >@@ -20,11 +20,9 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Update bug data then redirect to the appropriate viewing page >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); >@@ -32,8 +30,9 @@ > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'bugnote_api.php' ); > require_once( $t_core_path.'custom_field_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > $f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page > $f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); >Index: trunk/mantisbt/bug_assign.php >=================================================================== >--- trunk/mantisbt/bug_assign.php (revision 5131) >+++ trunk/mantisbt/bug_assign.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,18 +20,16 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Assign bug to user then redirect to viewing page >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'bug_api.php' ); >-?> >-<?php >+ helper_ensure_post(); >+ > $f_bug_id = gpc_get_int( 'bug_id' ); > $t_bug = bug_get( $f_bug_id ); > >Index: trunk/mantisbt/bug_actiongroup.php >=================================================================== >--- trunk/mantisbt/bug_actiongroup.php (revision 5131) >+++ trunk/mantisbt/bug_actiongroup.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,19 +20,18 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # This page allows actions to be performed an an array of bugs >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'bug_api.php' ); >-?> >-<?php auth_ensure_user_authenticated() ?> >-<?php >+ >+ helper_ensure_post(); >+ >+ auth_ensure_user_authenticated(); > helper_begin_long_process(); > > $f_action = gpc_get_string( 'action' ); >Index: trunk/mantisbt/manage_user_proj_add.php >=================================================================== >--- trunk/mantisbt/manage_user_proj_add.php (revision 5131) >+++ trunk/mantisbt/manage_user_proj_add.php (revision 5132) >@@ -23,6 +23,8 @@ > > require_once( 'core.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_user_id = gpc_get_int( 'user_id' ); >Index: trunk/mantisbt/account_prefs_reset.php >=================================================================== >--- trunk/mantisbt/account_prefs_reset.php (revision 5131) >+++ trunk/mantisbt/account_prefs_reset.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -47,6 +47,8 @@ > $f_redirect_url = gpc_get_string( 'redirect_url', 'account_prefs_page.php' ); > > #============ Permissions ============ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > user_ensure_unprotected( $f_user_id ); >Index: trunk/mantisbt/tag_delete.php >=================================================================== >--- trunk/mantisbt/tag_delete.php (revision 5131) >+++ trunk/mantisbt/tag_delete.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path . 'tag_api.php' ); > >+ helper_ensure_post(); >+ > access_ensure_global_level( config_get( 'tag_edit_threshold' ) ); > > $f_tag_id = gpc_get_int( 'tag_id' ); >Index: trunk/mantisbt/manage_proj_subproj_add.php >=================================================================== >--- trunk/mantisbt/manage_proj_subproj_add.php (revision 5131) >+++ trunk/mantisbt/manage_proj_subproj_add.php (revision 5132) >@@ -25,6 +25,8 @@ > > $t_core_path = config_get( 'core_path' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/bug_set_sponsorship.php >=================================================================== >--- trunk/mantisbt/bug_set_sponsorship.php (revision 5131) >+++ trunk/mantisbt/bug_set_sponsorship.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,14 +20,15 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path . 'sponsorship_api.php' ); > >+ helper_ensure_post(); >+ > if ( config_get( 'enable_sponsorship' ) == OFF ) { > trigger_error( ERROR_SPONSORSHIP_NOT_ENABLED, ERROR ); > } >Index: trunk/mantisbt/adm_config_set.php >=================================================================== >--- trunk/mantisbt/adm_config_set.php (revision 5131) >+++ trunk/mantisbt/adm_config_set.php (revision 5132) >@@ -26,6 +26,7 @@ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); >+ helper_ensure_post(); > > $f_user_id = gpc_get_int( 'user_id' ); > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/proj_doc_update.php >=================================================================== >--- trunk/mantisbt/proj_doc_update.php (revision 5131) >+++ trunk/mantisbt/proj_doc_update.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'file_api.php' ); > >+ helper_ensure_post(); >+ > # Check if project documentation feature is enabled. > if ( OFF == config_get( 'enable_project_documentation' ) || > !file_is_uploading_enabled() || >Index: trunk/mantisbt/account_prof_delete.php >=================================================================== >--- trunk/mantisbt/account_prof_delete.php (revision 5131) >+++ trunk/mantisbt/account_prof_delete.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,24 +20,22 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # The specified profile is deleted and the user is redirected to > # account_prof_menu_page.php3 >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'profile_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > current_user_ensure_unprotected(); >-?> >-<?php >+ > $f_profile_id = gpc_get_int( 'profile_id' ); > > if ( profile_is_global( $f_profile_id ) ) { >Index: trunk/mantisbt/manage_proj_create.php >=================================================================== >--- trunk/mantisbt/manage_proj_create.php (revision 5131) >+++ trunk/mantisbt/manage_proj_create.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'project_hierarchy_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > access_ensure_global_level( config_get( 'create_project_threshold' ) ); >Index: trunk/mantisbt/manage_config_work_threshold_set.php >=================================================================== >--- trunk/mantisbt/manage_config_work_threshold_set.php (revision 5131) >+++ trunk/mantisbt/manage_config_work_threshold_set.php (revision 5132) >@@ -26,6 +26,8 @@ > $t_core_path = config_get( 'core_path' ); > require_once( $t_core_path.'email_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $t_redirect_url = 'manage_config_work_threshold_page.php'; >Index: trunk/mantisbt/bugnote_set_view_state.php >=================================================================== >--- trunk/mantisbt/bugnote_set_view_state.php (revision 5131) >+++ trunk/mantisbt/bugnote_set_view_state.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,19 +20,18 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Set an existing bugnote private or public. >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'bug_api.php' ); > require_once( $t_core_path.'bugnote_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_bugnote_id = gpc_get_int( 'bugnote_id' ); > $f_private = gpc_get_bool( 'private' ); > >Index: trunk/mantisbt/manage_proj_subproj_delete.php >=================================================================== >--- trunk/mantisbt/manage_proj_subproj_delete.php (revision 5131) >+++ trunk/mantisbt/manage_proj_subproj_delete.php (revision 5132) >@@ -25,6 +25,8 @@ > > $t_core_path = config_get( 'core_path' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' ); >Index: trunk/mantisbt/manage_config_columns_reset.php >=================================================================== >--- trunk/mantisbt/manage_config_columns_reset.php (revision 5131) >+++ trunk/mantisbt/manage_config_columns_reset.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -27,6 +27,8 @@ > > require_once( $t_core_path . 'config_api.php' ); > >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > auth_reauthenticate(); > >Index: trunk/mantisbt/set_project.php >=================================================================== >--- trunk/mantisbt/set_project.php (revision 5131) >+++ trunk/mantisbt/set_project.php (revision 5132) >@@ -20,15 +20,15 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'current_user_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > $f_project_id = gpc_get_string( 'project_id' ); > $f_make_default = gpc_get_bool ( 'make_default' ); > $f_ref = gpc_get_string( 'ref', '' ); >Index: trunk/mantisbt/account_prof_make_default.php >=================================================================== >--- trunk/mantisbt/account_prof_make_default.php (revision 5131) >+++ trunk/mantisbt/account_prof_make_default.php (revision 5132) >@@ -2,7 +2,7 @@ > # Mantis - a php based bugtracking system > > # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org >-# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net >+# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net > > # Mantis is free software: you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -20,24 +20,22 @@ > # -------------------------------------------------------- > # $Id$ > # -------------------------------------------------------- >-?> >-<?php >+ > # Make the specified profile the default > # Redirect to account_prof_menu_page.php >-?> >-<?php >+ > require_once( 'core.php' ); > > $t_core_path = config_get( 'core_path' ); > > require_once( $t_core_path.'current_user_api.php' ); >-?> >-<?php >+ >+ helper_ensure_post(); >+ > auth_ensure_user_authenticated(); > > current_user_ensure_unprotected(); >-?> >-<?php >+ > $f_profile_id = gpc_get_int( 'profile_id' ); > > current_user_set_pref( 'default_profile', $f_profile_id ); >Index: trunk/mantisbt/manage_proj_ver_copy.php >=================================================================== >--- trunk/mantisbt/manage_proj_ver_copy.php (revision 5131) >+++ trunk/mantisbt/manage_proj_ver_copy.php (revision 5132) >@@ -27,6 +27,8 @@ > > require_once( $t_core_path.'version_api.php' ); > >+ helper_ensure_post(); >+ > auth_reauthenticate(); > > $f_project_id = gpc_get_int( 'project_id' );
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=305711">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 446926
: 305711