tags 481504 patch thanks Hi
Attached you'll find a complete patch for the mantis issue. I still need to investigate it a little further and test it. I would also appreciate the maintainer's opinion :) Cheers Steffen
diff -u mantis-1.0.8/debian/patches/00list mantis-1.0.8/debian/patches/00list --- mantis-1.0.8/debian/patches/00list +++ mantis-1.0.8/debian/patches/00list @@ -5,0 +6 @@ +06-CVE-2008-2276 diff -u mantis-1.0.8/debian/changelog mantis-1.0.8/debian/changelog --- mantis-1.0.8/debian/changelog +++ mantis-1.0.8/debian/changelog @@ -1,3 +1,12 @@ +mantis (1.0.8-4.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix Cross-site request forgery (CSRF) vulnerability that allowed + certain actions via HTTP requests without performing any validity + checks (Closes: #481504) Fixes: CVE-2008-2276 + + -- Steffen Joeris <[EMAIL PROTECTED]> Sat, 17 May 2008 06:23:03 +0000 + mantis (1.0.8-4) unstable; urgency=medium * Made package work with webservers different than apache2: only in patch2: unchanged: --- mantis-1.0.8.orig/debian/patches/06-CVE-2008-2276.dpatch +++ mantis-1.0.8/debian/patches/06-CVE-2008-2276.dpatch @@ -0,0 +1,1512 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 06-CVE-2008-2276.dpatch +## + [EMAIL PROTECTED]@ +--- mantis-1.0.8.orig/manage_user_prune.php ++++ mantis-1.0.8/manage_user_prune.php +@@ -8,9 +8,11 @@ + # -------------------------------------------------------- + # $Id: manage_user_prune.php,v 1.7.18.1 2006/05/05 15:52:23 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php require_once( 'core.php' ) ?> +-<?php ++ ++ require_once( 'core.php' ); ++ ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_user_threshold' ) ); + + $t_user_table = config_get( 'mantis_user_table' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_update.php ++++ mantis-1.0.8/account_update.php +@@ -8,25 +8,20 @@ + # -------------------------------------------------------- + # $Id: account_update.php,v 1.40 2004/11/30 13:02:57 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This page updates a user's information + # If an account is protected then changes are forbidden + # The page gets redirected back to account_page.php +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'email_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + current_user_ensure_unprotected(); +-?> +-<?php + $f_email = gpc_get_string( 'email', '' ); + $f_realname = gpc_get_string( 'realname', '' ); + $f_password = gpc_get_string( 'password', '' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_user_proj_delete.php ++++ mantis-1.0.8/manage_user_proj_delete.php +@@ -10,6 +10,8 @@ + # -------------------------------------------------------- + + require_once( 'core.php' ); ++ ++ helper_ensure_post(); + + auth_ensure_user_authenticated(); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_user_add.php ++++ mantis-1.0.8/manage_proj_user_add.php +@@ -8,9 +8,11 @@ + # -------------------------------------------------------- + # $Id: manage_proj_user_add.php,v 1.4 2004/01/11 07:16:07 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php require_once( 'core.php' ) ?> +-<?php ++ ++ require_once( 'core.php' ); ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_user_id = gpc_get_int_array( 'user_id', array() ); + $f_access_level = gpc_get_int( 'access_level' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_subproj_delete.php ++++ mantis-1.0.8/manage_proj_subproj_delete.php +@@ -13,6 +13,8 @@ + + $t_core_path = config_get( 'core_path' ); + ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_subproject_id = gpc_get_int( 'subproject_id' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/print_all_bug_options_update.php ++++ mantis-1.0.8/print_all_bug_options_update.php +@@ -8,15 +8,15 @@ + # -------------------------------------------------------- + # $Id: print_all_bug_options_update.php,v 1.16 2005/02/28 00:30:39 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Updates printing prefs then redirect to print_all_bug_page_page.php +-?> +-<?php require_once( 'core.php' ) ?> +-<?php require( 'print_all_bug_options_inc.php' ) ?> ++ ++ require_once( 'core.php' ); ++ require( 'print_all_bug_options_inc.php' ); ++ ++ helper_ensure_post(); + +-<?php auth_ensure_user_authenticated() ?> +-<?php ++ auth_ensure_user_authenticated(); ++ + $f_user_id = gpc_get_int( 'user_id' ); + $f_redirect_url = gpc_get_string( 'redirect_url' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_set_sponsorship.php ++++ mantis-1.0.8/bug_set_sponsorship.php +@@ -8,14 +8,14 @@ + # -------------------------------------------------------- + # $Id: bug_set_sponsorship.php,v 1.5 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path . 'sponsorship_api.php' ); + ++ helper_ensure_post(); ++ + if ( config_get( 'enable_sponsorship' ) == OFF ) { + trigger_error( ERROR_SPONSORSHIP_NOT_ENABLED, ERROR ); + } +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_update.php ++++ mantis-1.0.8/manage_proj_update.php +@@ -8,9 +8,11 @@ + # -------------------------------------------------------- + # $Id: manage_proj_update.php,v 1.26 2004/01/11 07:16:07 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php require_once( 'core.php' ) ?> +-<?php ++ ++ require_once( 'core.php' ); ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_name = gpc_get_string( 'name' ); + $f_description = gpc_get_string( 'description' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_custom_field_delete.php ++++ mantis-1.0.8/manage_custom_field_delete.php +@@ -15,6 +15,8 @@ + + require_once( $t_core_path.'custom_field_api.php' ); + ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); + + $f_field_id = gpc_get_int( 'field_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_user_remove.php ++++ mantis-1.0.8/manage_proj_user_remove.php +@@ -10,6 +10,8 @@ + # -------------------------------------------------------- + + require_once( 'core.php' ); ++ ++ helper_ensure_post(); + + $f_project_id = gpc_get_int( 'project_id' ); + $f_user_id = gpc_get_int( 'user_id', 0 ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_file_delete.php ++++ mantis-1.0.8/bug_file_delete.php +@@ -17,6 +17,8 @@ + + require_once( $t_core_path.'file_api.php' ); + ++ helper_ensure_post(); ++ + $f_file_id = gpc_get_int( 'file_id' ); + + $t_bug_id = file_get_field( $f_file_id, 'bug_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_user_proj_add.php ++++ mantis-1.0.8/manage_user_proj_add.php +@@ -8,10 +8,12 @@ + # -------------------------------------------------------- + # $Id: manage_user_proj_add.php,v 1.21 2004/01/11 07:16:07 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php require_once( 'core.php' ) ?> +-<?php auth_ensure_user_authenticated() ?> +-<?php ++ ++ require_once( 'core.php' ); ++ ++ helper_ensure_post(); ++ ++ auth_ensure_user_authenticated(); + $f_user_id = gpc_get_int( 'user_id' ); + $f_access_level = gpc_get_int( 'access_level' ); + $f_project_id = gpc_get_int_array( 'project_id', array() ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bugnote_set_view_state.php ++++ mantis-1.0.8/bugnote_set_view_state.php +@@ -8,19 +8,16 @@ + # -------------------------------------------------------- + # $Id: bugnote_set_view_state.php,v 1.27 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Set an existing bugnote private or public. +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'bugnote_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); + $f_private = gpc_get_bool( 'private' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_cat_copy.php ++++ mantis-1.0.8/manage_proj_cat_copy.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_cat_copy.php,v 1.21 2005/02/27 15:33:01 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'category_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_other_project_id = gpc_get_int( 'other_project_id' ); + $f_copy_from = gpc_get_bool( 'copy_from' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_actiongroup.php ++++ mantis-1.0.8/bug_actiongroup.php +@@ -8,19 +8,17 @@ + # -------------------------------------------------------- + # $Id: bug_actiongroup.php,v 1.47 2005/06/16 02:26:48 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This page allows actions to be performed an an array of bugs +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); +-?> +-<?php auth_ensure_user_authenticated() ?> +-<?php ++ ++ helper_ensure_post(); ++ ++ auth_ensure_user_authenticated(); ++ + helper_begin_long_process(); + + $f_action = gpc_get_string( 'action' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_config_revert.php ++++ mantis-1.0.8/manage_config_revert.php +@@ -10,6 +10,8 @@ + # -------------------------------------------------------- + + require_once( 'core.php' ); ++ ++ helper_ensure_post(); + + $t_core_path = config_get( 'core_path' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/signup.php ++++ mantis-1.0.8/signup.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'email_api.php' ); ++ ++ helper_ensure_post(); + + $f_username = strip_tags( gpc_get_string( 'username' ) ); + $f_email = strip_tags( gpc_get_string( 'email' ) ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_relationship_add.php ++++ mantis-1.0.8/bug_relationship_add.php +@@ -16,6 +16,8 @@ + require_once( 'core.php' ); + $t_core_path = config_get( 'core_path' ); + require_once( $t_core_path . 'relationship_api.php' ); ++ ++ helper_ensure_post(); + + $f_rel_type = gpc_get_int( 'rel_type' ); + $f_src_bug_id = gpc_get_int( 'src_bug_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_ver_add.php ++++ mantis-1.0.8/manage_proj_ver_add.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_ver_add.php,v 1.30 2005/02/12 20:01:06 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'version_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_version = gpc_get_string( 'version' ); + $f_add_and_edit = gpc_get_bool( 'add_and_edit_version' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_user_update.php ++++ mantis-1.0.8/manage_user_update.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_user_update.php,v 1.37.12.1 2007/03/06 07:00:33 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'email_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_user_threshold' ) ); + + $f_protected = gpc_get_bool( 'protected' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_prof_make_default.php ++++ mantis-1.0.8/account_prof_make_default.php +@@ -8,24 +8,19 @@ + # -------------------------------------------------------- + # $Id: account_prof_make_default.php,v 1.26 2005/02/12 20:01:03 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Make the specified profile the default + # Redirect to account_prof_menu_page.php +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'current_user_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + current_user_ensure_unprotected(); +-?> +-<?php + $f_profile_id = gpc_get_int( 'profile_id' ); + + current_user_set_pref( 'default_profile', $f_profile_id ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/set_project.php ++++ mantis-1.0.8/set_project.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: set_project.php,v 1.54.10.1 2005/12/05 12:14:47 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'current_user_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_string( 'project_id' ); + $f_make_default = gpc_get_bool ( 'make_default' ); + $f_ref = gpc_get_string( 'ref', '' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/news_add.php ++++ mantis-1.0.8/news_add.php +@@ -8,16 +8,15 @@ + # -------------------------------------------------------- + # $Id: news_add.php,v 1.32 2005/03/21 12:09:37 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'news_api.php' ); + require_once( $t_core_path.'print_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + access_ensure_project_level( config_get( 'manage_news_threshold' ) ); + + $f_view_state = gpc_get_int( 'view_state' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_user_copy.php ++++ mantis-1.0.8/manage_proj_user_copy.php +@@ -8,9 +8,10 @@ + # -------------------------------------------------------- + # $Id: manage_proj_user_copy.php,v 1.5 2005/02/27 15:33:01 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php require_once( 'core.php' ) ?> +-<?php ++ require_once( 'core.php' ); ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_other_project_id = gpc_get_int( 'other_project_id' ); + $f_copy_from = gpc_get_bool( 'copy_from' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bugnote_add.php ++++ mantis-1.0.8/bugnote_add.php +@@ -8,19 +8,16 @@ + # -------------------------------------------------------- + # $Id: bugnote_add.php,v 1.46 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Insert the bugnote into the database then redirect to the bug page +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'bugnote_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + $f_private = gpc_get_bool( 'private' ); + $f_bugnote_text = gpc_get_string( 'bugnote_text', '' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_delete.php ++++ mantis-1.0.8/bug_delete.php +@@ -8,19 +8,15 @@ + # -------------------------------------------------------- + # $Id: bug_delete.php,v 1.40 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Deletes the bug and re-directs to view_all_bug_page.php +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); +-?> +-<?php + $f_bug_id = gpc_get_int( 'bug_id' ); ++ ++ helper_ensure_post(); + + access_ensure_bug_level( config_get( 'delete_bug_threshold' ), $f_bug_id ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_reminder.php ++++ mantis-1.0.8/bug_reminder.php +@@ -8,11 +8,7 @@ + # -------------------------------------------------------- + # $Id: bug_reminder.php,v 1.19.10.1 2006/03/16 19:41:05 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This page allows an authorized user to send a reminder by email to another user +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); +@@ -20,8 +16,9 @@ + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'email_api.php' ); + require_once( $t_core_path.'bugnote_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + $f_to = gpc_get_int_array( 'to' ); + $f_body = gpc_get_string( 'body' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/query_store.php ++++ mantis-1.0.8/query_store.php +@@ -4,8 +4,6 @@ + # Copyright (C) 2002 - 2003 Mantis Team - [EMAIL PROTECTED] + # This program is distributed under the terms and conditions of the GPL + # See the README and LICENSE files for details +-?> +-<?php + require_once( 'core.php' ); + $t_core_path = config_get( 'core_path' ); + +@@ -16,6 +14,8 @@ + require_once( $t_core_path.'string_api.php' ); + require_once( $t_core_path.'date_api.php' ); + ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + compress_enable(); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/news_update.php ++++ mantis-1.0.8/news_update.php +@@ -8,8 +8,6 @@ + # -------------------------------------------------------- + # $Id: news_update.php,v 1.32 2005/03/21 12:09:37 vboctor Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); +@@ -17,8 +15,9 @@ + require_once( $t_core_path.'news_api.php' ); + require_once( $t_core_path.'string_api.php' ); + require_once( $t_core_path.'print_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_news_id = gpc_get_int( 'news_id' ); + $f_project_id = gpc_get_int( 'project_id' ); + $f_view_state = gpc_get_int( 'view_state' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_relationship_delete.php ++++ mantis-1.0.8/bug_relationship_delete.php +@@ -24,6 +24,8 @@ + $t_core_path = config_get( 'core_path' ); + require_once( $t_core_path . 'relationship_api.php' ); + ++ helper_ensure_post(); ++ + $f_rel_id = gpc_get_int( 'rel_id' ); + $f_bug_id = gpc_get_int( 'bug_id' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_monitor.php ++++ mantis-1.0.8/bug_monitor.php +@@ -8,18 +8,15 @@ + # -------------------------------------------------------- + # $Id: bug_monitor.php,v 1.28 2005/06/14 22:00:32 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This file turns monitoring on or off for a bug for the current user +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + $t_bug = bug_get( $f_bug_id, true ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_prof_add.php ++++ mantis-1.0.8/account_prof_add.php +@@ -8,23 +8,18 @@ + # -------------------------------------------------------- + # $Id: account_prof_add.php,v 1.27 2005/02/25 00:23:48 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This file adds a new profile and redirects to account_proj_menu_page.php +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'profile_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + current_user_ensure_unprotected(); +-?> +-<?php + $f_platform = gpc_get_string( 'platform' ); + $f_os = gpc_get_string( 'os' ); + $f_os_build = gpc_get_string( 'os_build' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_update.php ++++ mantis-1.0.8/bug_update.php +@@ -8,11 +8,7 @@ + # -------------------------------------------------------- + # $Id: bug_update.php,v 1.88.4.1 2005/12/13 00:58:52 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Update bug data then redirect to the appropriate viewing page +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); +@@ -20,8 +16,9 @@ + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'bugnote_api.php' ); + require_once( $t_core_path.'custom_field_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + $f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page + $f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_assign_reporter.php ++++ mantis-1.0.8/bug_assign_reporter.php +@@ -8,18 +8,15 @@ + # -------------------------------------------------------- + # $Id: bug_assign_reporter.php,v 1.4 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Assign bug to user then redirect to viewing page +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + + access_ensure_bug_level( config_get( 'update_bug_threshold' ), $f_bug_id ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/query_delete.php ++++ mantis-1.0.8/query_delete.php +@@ -16,6 +16,8 @@ + require_once( $t_core_path.'string_api.php' ); + require_once( $t_core_path.'date_api.php' ); + ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + compress_enable(); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_custom_field_update.php ++++ mantis-1.0.8/manage_custom_field_update.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_custom_field_update.php,v 1.17 2004/08/03 23:43:49 prichards Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'custom_field_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); + + $f_field_id = gpc_get_int( 'field_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_custom_field_remove.php ++++ mantis-1.0.8/manage_proj_custom_field_remove.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'custom_field_api.php' ); ++ ++ helper_ensure_post(); + + $f_field_id = gpc_get_int( 'field_id' ); + $f_project_id = gpc_get_int( 'project_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/news_delete.php ++++ mantis-1.0.8/news_delete.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: news_delete.php,v 1.23 2005/05/16 19:20:32 marcelloscata Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'news_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_news_id = gpc_get_int( 'news_id' ); + + $row = news_get_row( $f_news_id ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_prefs_reset.php ++++ mantis-1.0.8/account_prefs_reset.php +@@ -35,6 +35,8 @@ + $f_redirect_url = gpc_get_string( 'redirect_url', 'account_prefs_page.php' ); + + #============ Permissions ============ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + user_ensure_unprotected( $f_user_id ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_ver_delete.php ++++ mantis-1.0.8/manage_proj_ver_delete.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'version_api.php' ); ++ ++ helper_ensure_post(); + + $f_version_id = gpc_get_int( 'version_id' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_user_create.php ++++ mantis-1.0.8/manage_user_create.php +@@ -15,6 +15,8 @@ + + require_once( $t_core_path.'email_api.php' ); + ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_user_threshold' ) ); + + $f_username = gpc_get_string( 'username' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/proj_doc_delete.php ++++ mantis-1.0.8/proj_doc_delete.php +@@ -10,6 +10,8 @@ + # -------------------------------------------------------- + + require_once( 'core.php' ); ++ ++ helper_ensure_post(); + + # Check if project documentation feature is enabled. + if ( OFF == config_get( 'enable_project_documentation' ) ) { +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_config_work_threshold_set.php ++++ mantis-1.0.8/manage_config_work_threshold_set.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + require_once( $t_core_path.'email_api.php' ); + ++ helper_ensure_post(); ++ + $t_redirect_url = 'manage_config_work_threshold_page.php'; + $t_project = helper_get_current_project(); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_prof_delete.php ++++ mantis-1.0.8/account_prof_delete.php +@@ -8,24 +8,19 @@ + # -------------------------------------------------------- + # $Id: account_prof_delete.php,v 1.27 2005/02/25 00:18:38 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + # The specified profile is deleted and the user is redirected to + # account_prof_menu_page.php3 +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'profile_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + current_user_ensure_unprotected(); +-?> +-<?php + $f_profile_id = gpc_get_int( 'profile_id' ); + + if ( profile_is_global( $f_profile_id ) ) { +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_create.php ++++ mantis-1.0.8/manage_proj_create.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_create.php,v 1.7.14.1.2.1 2006/02/03 03:56:34 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'project_hierarchy_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'create_project_threshold' ) ); + + $f_name = gpc_get_string( 'name' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_config_email_set.php ++++ mantis-1.0.8/manage_config_email_set.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + require_once( $t_core_path.'email_api.php' ); + ++ helper_ensure_post(); ++ + $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); + access_ensure_project_level( $t_can_change_level ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_prof_update.php ++++ mantis-1.0.8/account_prof_update.php +@@ -8,24 +8,19 @@ + # -------------------------------------------------------- + # $Id: account_prof_update.php,v 1.28 2005/02/25 00:18:39 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This page updates the users profile information then redirects to + # account_prof_menu_page.php +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'profile_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + current_user_ensure_unprotected(); +-?> +-<?php + $f_profile_id = gpc_get_int( 'profile_id' ); + $f_platform = gpc_get_string( 'platform' ); + $f_os = gpc_get_string( 'os' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_cat_update.php ++++ mantis-1.0.8/manage_proj_cat_update.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_cat_update.php,v 1.32 2005/02/12 20:01:06 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'category_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_category = gpc_get_string( 'category' ); + $f_new_category = gpc_get_string( 'new_category' ); +@@ -40,8 +39,7 @@ + } + + $t_redirect_url = 'manage_proj_edit_page.php?project_id=' . $f_project_id; +-?> +-<?php ++ + html_page_top1(); + + html_meta_redirect( $t_redirect_url ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_config_workflow_set.php ++++ mantis-1.0.8/manage_config_workflow_set.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + require_once( $t_core_path.'email_api.php' ); + ++ helper_ensure_post(); ++ + $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); + access_ensure_project_level( $t_can_change_level ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_user_delete.php ++++ mantis-1.0.8/manage_user_delete.php +@@ -11,6 +11,8 @@ + + require_once( 'core.php' ); + ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_user_threshold' ) ); + + $f_user_id = gpc_get_int( 'user_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_prefs_update.php ++++ mantis-1.0.8/account_prefs_update.php +@@ -8,21 +8,16 @@ + # -------------------------------------------------------- + # $Id: account_prefs_update.php,v 1.36 2005/07/05 18:50:49 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Updates prefs then redirect to account_prefs_page.php3 +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'user_pref_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); +-?> +-<?php + $f_user_id = gpc_get_int( 'user_id' ); + $f_redirect_url = gpc_get_string( 'redirect_url' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bugnote_delete.php ++++ mantis-1.0.8/bugnote_delete.php +@@ -8,12 +8,8 @@ + # -------------------------------------------------------- + # $Id: bugnote_delete.php,v 1.39 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Remove the bugnote and bugnote text and redirect back to + # the viewing page +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); +@@ -21,8 +17,9 @@ + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'bugnote_api.php' ); + require_once( $t_core_path.'current_user_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); + + $t_bug_id = bugnote_get_field( $f_bugnote_id, 'bug_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/proj_doc_update.php ++++ mantis-1.0.8/proj_doc_update.php +@@ -15,6 +15,8 @@ + + require_once( $t_core_path.'file_api.php' ); + ++ helper_ensure_post(); ++ + # Check if project documentation feature is enabled. + if ( OFF == config_get( 'enable_project_documentation' ) || + !file_is_uploading_enabled() || +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_subproj_add.php ++++ mantis-1.0.8/manage_proj_subproj_add.php +@@ -12,6 +12,8 @@ + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); ++ ++ helper_ensure_post(); + + $f_project_id = gpc_get_int( 'project_id' ); + $f_subproject_id = gpc_get_int( 'subproject_id' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_file_add.php ++++ mantis-1.0.8/bug_file_add.php +@@ -8,18 +8,15 @@ + # -------------------------------------------------------- + # $Id: bug_file_add.php,v 1.48 2005/07/25 16:34:10 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Add file to a bug and then view the bug +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'file_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + $f_file = gpc_get_file( 'file' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_user_reset.php ++++ mantis-1.0.8/manage_user_reset.php +@@ -10,6 +10,8 @@ + # -------------------------------------------------------- + + require_once( 'core.php' ); ++ ++ helper_ensure_post(); + + access_ensure_global_level( config_get( 'manage_user_threshold' ) ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_cat_delete.php ++++ mantis-1.0.8/manage_proj_cat_delete.php +@@ -14,6 +14,8 @@ + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'category_api.php' ); ++ ++ helper_ensure_post(); + + $f_project_id = gpc_get_int( 'project_id' ); + $f_category = gpc_get_string( 'category' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/lost_pwd.php ++++ mantis-1.0.8/lost_pwd.php +@@ -14,6 +14,8 @@ + # ====================================================================== + + require_once( 'core.php' ); ++ ++ helper_ensure_post(); + + # lost password feature disabled or reset password via email disabled -> stop here! + if( OFF == config_get( 'lost_password_feature' ) || +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_custom_field_add_existing.php ++++ mantis-1.0.8/manage_proj_custom_field_add_existing.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_custom_field_add_existing.php,v 1.16 2005/02/12 20:01:06 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'custom_field_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_field_id = gpc_get_int( 'field_id' ); + $f_project_id = gpc_get_int( 'project_id' ); + +@@ -29,12 +28,12 @@ + custom_field_link( $f_field_id, $f_project_id ); + + $t_redirect_url = 'manage_proj_edit_page.php?project_id=' . $f_project_id; +-?> +-<?php html_page_top1() ?> +-<?php +- html_meta_redirect( $t_redirect_url ); +-?> +-<?php html_page_top2() ?> ++ ++ ++ html_page_top1(); ++ html_meta_redirect( $t_redirect_url ); ++ html_page_top2() ?> ++ + + <br /> + <div align="center"> +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_delete.php ++++ mantis-1.0.8/manage_proj_delete.php +@@ -11,6 +11,8 @@ + + require_once( 'core.php' ); + ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + + access_ensure_project_level( config_get( 'delete_project_threshold' ), $f_project_id ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/proj_doc_add.php ++++ mantis-1.0.8/proj_doc_add.php +@@ -15,6 +15,8 @@ + + require_once( $t_core_path.'file_api.php' ); + ++ helper_ensure_post(); ++ + # Check if project documentation feature is enabled. + if ( OFF == config_get( 'enable_project_documentation' ) ) { + access_denied(); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_cat_add.php ++++ mantis-1.0.8/manage_proj_cat_add.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_cat_add.php,v 1.31 2005/02/12 20:01:05 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'category_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_project_id = gpc_get_int( 'project_id' ); + $f_category = gpc_get_string( 'category' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/print_all_bug_options_reset.php ++++ mantis-1.0.8/print_all_bug_options_reset.php +@@ -17,6 +17,8 @@ + + require_once( $t_core_path.'current_user_api.php' ); + require( 'print_all_bug_options_inc.php' ); ++ ++ helper_ensure_post(); + + auth_ensure_user_authenticated(); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bugnote_update.php ++++ mantis-1.0.8/bugnote_update.php +@@ -8,11 +8,7 @@ + # -------------------------------------------------------- + # $Id: bugnote_update.php,v 1.43 2005/02/12 20:01:05 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Update bugnote data then redirect to the appropriate viewing page +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); +@@ -20,8 +16,9 @@ + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'bugnote_api.php' ); + require_once( $t_core_path.'current_user_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); + $f_bugnote_text = gpc_get_string( 'bugnote_text', '' ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_custom_field_update.php ++++ mantis-1.0.8/manage_proj_custom_field_update.php +@@ -8,15 +8,12 @@ + # -------------------------------------------------------- + # $Id: manage_proj_custom_field_update.php,v 1.10 2005/02/12 20:01:06 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'custom_field_api.php' ); +-?> +-<?php ++ helper_ensure_post(); + $f_field_id = gpc_get_int( 'field_id' ); + $f_project_id = gpc_get_int( 'project_id' ); + $f_sequence = gpc_get_int( 'sequence' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_delete.php ++++ mantis-1.0.8/account_delete.php +@@ -31,6 +31,8 @@ + # (none) + + #============ Permissions ============ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); + + current_user_ensure_unprotected(); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_assign.php ++++ mantis-1.0.8/bug_assign.php +@@ -8,18 +8,15 @@ + # -------------------------------------------------------- + # $Id: bug_assign.php,v 1.42 2005/06/14 22:00:32 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # Assign bug to user then redirect to viewing page +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'bug_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_bug_id = gpc_get_int( 'bug_id' ); + $t_bug = bug_get( $f_bug_id ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_custom_field_create.php ++++ mantis-1.0.8/manage_custom_field_create.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_custom_field_create.php,v 1.15 2005/02/12 20:01:05 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'custom_field_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); + + $f_name = gpc_get_string( 'name' ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/account_sponsor_update.php ++++ mantis-1.0.8/account_sponsor_update.php +@@ -8,23 +8,18 @@ + # -------------------------------------------------------- + # $Id: account_sponsor_update.php,v 1.2 2005/07/23 15:09:51 thraxisp Exp $ + # -------------------------------------------------------- +-?> +-<?php + # This page updates a user's information + # If an account is protected then changes are forbidden + # The page gets redirected back to account_page.php +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'email_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + auth_ensure_user_authenticated(); +-?> +-<?php + $f_bug_list = gpc_get_string( 'buglist', '' ); + $t_bug_list = explode( ',', $f_bug_list ); + +only in patch2: +unchanged: +--- mantis-1.0.8.orig/bug_report.php ++++ mantis-1.0.8/bug_report.php +@@ -20,6 +20,8 @@ + require_once( $t_core_path.'bug_api.php' ); + require_once( $t_core_path.'custom_field_api.php' ); + ++ helper_ensure_post(); ++ + access_ensure_project_level( config_get('report_bug_threshold' ) ); + + $t_bug_data = new BugData; +only in patch2: +unchanged: +--- mantis-1.0.8.orig/manage_proj_ver_update.php ++++ mantis-1.0.8/manage_proj_ver_update.php +@@ -8,15 +8,14 @@ + # -------------------------------------------------------- + # $Id: manage_proj_ver_update.php,v 1.30 2005/02/12 20:01:06 jlatour Exp $ + # -------------------------------------------------------- +-?> +-<?php + require_once( 'core.php' ); + + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'version_api.php' ); +-?> +-<?php ++ ++ helper_ensure_post(); ++ + $f_version_id = gpc_get_int( 'version_id' ); + + $t_version = version_get( $f_version_id ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/core/constant_inc.php ++++ mantis-1.0.8/core/constant_inc.php +@@ -170,6 +170,7 @@ + define( 'ERROR_FTP_CONNECT_ERROR', 16 ); + define( 'ERROR_HANDLER_ACCESS_TOO_LOW', 17 ); + define( 'ERROR_PAGE_REDIRECTION', 18 ); ++ define( 'ERROR_INVALID_REQUEST_METHOD', 19 ); + + # ERROR_CONFIG_* + define( 'ERROR_CONFIG_OPT_NOT_FOUND', 100 ); +only in patch2: +unchanged: +--- mantis-1.0.8.orig/core/helper_api.php ++++ mantis-1.0.8/core/helper_api.php +@@ -315,4 +315,16 @@ + + return $t_project_filter; + } ++ ++ # ++ #------------------------------------------------- ++ # check access method is POST, return if true, else call error handler ++ function helper_ensure_post() ++ { ++ if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( strtoupper( $_SERVER['REQUEST_METHOD'] ) != 'POST' ) ) { ++ trigger_error( ERROR_INVALID_REQUEST_METHOD, ERROR ); ++ } ++ ++ } ++ + ?> +only in patch2: +unchanged: +--- mantis-1.0.8.orig/lang/strings_english.txt ++++ mantis-1.0.8/lang/strings_english.txt +@@ -263,6 +263,7 @@ + $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; + $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; + $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_*.php files.'; ++$MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.'; + + $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; + $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.';
signature.asc
Description: This is a digitally signed message part.