Add CSRF protection to upgrader

6dc17855 · Peter Rotich · b20cb62a · 6dc17855 · 6dc17855 · 6dc17855
Commit 6dc17855 authored 12 years ago by Peter Rotich
--- a/include/upgrader/prereq.inc.php
+++ b/include/upgrader/prereq.inc.php
@@ -27,6 +27,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access D
            </ul>
            <div id="bar">
                <form method="post" action="upgrade.php" id="prereq">
+                    <?php csrf_token(); ?>
                    <input type="hidden" name="s" value="prereq">
                    <input class="btn"  type="submit" name="submit" value="Start Upgrade Now &raquo;">
                </form>

--- a/include/upgrader/rename.inc.php
+++ b/include/upgrader/rename.inc.php
@@ -18,6 +18,7 @@ if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access D
            <p>Please refer to the <a target="_blank" href="http://osticket.com/wiki/Upgrade_and_Migration">Upgrade Guide</a> for more information.</p>
            <div id="bar">
                <form method="post" action="upgrade.php">
+                    <?php csrf_token(); ?>
                    <input type="hidden" name="s" value="prereq">
                    <input class="btn" type="submit" name="submit" value="Continue &raquo;">
                </form>

--- a/include/upgrader/upgrade.inc.php
+++ b/include/upgrader/upgrade.inc.php
@@ -18,6 +18,7 @@ $action=$upgrader->getNextAction();
            </ul>
            <div id="bar">
                <form method="post" action="upgrade.php" id="upgrade">
+                    <?php csrf_token(); ?>
                    <input type="hidden" name="s" value="upgrade">
                    <input type="hidden" name="sh" value="<?php echo $upgrader->getSchemaSignature(); ?>">
                    <input class="btn"  type="submit" name="submit" value="Do It Now!">