From 6dc17855d2c302f0ac7570d259913f044e044708 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Fri, 20 Jul 2012 15:28:01 -0400
Subject: [PATCH] Add CSRF protection to upgrader

---
 include/upgrader/prereq.inc.php  | 1 +
 include/upgrader/rename.inc.php  | 1 +
 include/upgrader/upgrade.inc.php | 1 +
 3 files changed, 3 insertions(+)

diff --git a/include/upgrader/prereq.inc.php b/include/upgrader/prereq.inc.php
index 814c76fff..d32fc328f 100644
--- a/include/upgrader/prereq.inc.php
+++ b/include/upgrader/prereq.inc.php
@@ -27,6 +27,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access D
             </ul>
             <div id="bar">
                 <form method="post" action="upgrade.php" id="prereq">
+                    <?php csrf_token(); ?>
                     <input type="hidden" name="s" value="prereq">
                     <input class="btn"  type="submit" name="submit" value="Start Upgrade Now &raquo;">
                 </form>
diff --git a/include/upgrader/rename.inc.php b/include/upgrader/rename.inc.php
index 6d449567f..0b649bfa0 100644
--- a/include/upgrader/rename.inc.php
+++ b/include/upgrader/rename.inc.php
@@ -18,6 +18,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access D
             <p>Please refer to the <a target="_blank" href="http://osticket.com/wiki/Upgrade_and_Migration">Upgrade Guide</a> for more information.</p>
             <div id="bar">
                 <form method="post" action="upgrade.php">
+                    <?php csrf_token(); ?>
                     <input type="hidden" name="s" value="prereq">
                     <input class="btn" type="submit" name="submit" value="Continue &raquo;">
                 </form>
diff --git a/include/upgrader/upgrade.inc.php b/include/upgrader/upgrade.inc.php
index 9e95af3ff..7c8a8aae4 100644
--- a/include/upgrader/upgrade.inc.php
+++ b/include/upgrader/upgrade.inc.php
@@ -18,6 +18,7 @@ $action=$upgrader->getNextAction();
             </ul>
             <div id="bar">
                 <form method="post" action="upgrade.php" id="upgrade">
+                    <?php csrf_token(); ?>
                     <input type="hidden" name="s" value="upgrade">
                     <input type="hidden" name="sh" value="<?php echo $upgrader->getSchemaSignature(); ?>">
                     <input class="btn"  type="submit" name="submit" value="Do It Now!">
-- 
GitLab