From c70b987f0a09984b2f60a0b7fbdc28f62cc0dd65 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Fri, 20 Jul 2012 15:29:03 -0400
Subject: [PATCH] Add CSRF protection to missed forms

---
 include/staff/ticket-view.inc.php | 1 +
 include/staff/tickets.inc.php     | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/include/staff/ticket-view.inc.php b/include/staff/ticket-view.inc.php
index 94f2cac6d..633fe2f27 100644
--- a/include/staff/ticket-view.inc.php
+++ b/include/staff/ticket-view.inc.php
@@ -614,6 +614,7 @@ if(!$cfg->showNotesInline()) { ?>
     <a class="close" href="">&times;</a>
     <hr/>
     <form action="tickets.php?id=<?php echo $ticket->getId(); ?>" method="post" id="print-form" name="print-form">
+        <?php csrf_token(); ?>
         <input type="hidden" name="a" value="print">
         <input type="hidden" name="id" value="<?php echo $ticket->getId(); ?>">
         <fieldset class="notes">
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index 8397a4988..cbe8a6a98 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -270,6 +270,7 @@ $negorder=$order=='DESC'?'ASC':'DESC'; //Negate the sorting..
 <!-- SEARCH FORM START -->
 <div id='basic_search'>
     <form action="tickets.php" method="get">
+    <?php csrf_token(); ?>
     <input type="hidden" name="a" value="search">
     <table>
         <tr>
@@ -285,6 +286,7 @@ $negorder=$order=='DESC'?'ASC':'DESC'; //Negate the sorting..
 <div class="clear"></div>
 <div style="margin-bottom:20px">
 <form action="tickets.php" method="POST" name='tickets' onSubmit="return checkbox_checker(this,1,0);">
+<?php csrf_token(); ?>
  <a class="refresh" href="<?php echo $_SERVER['REQUEST_URI']; ?>">Refresh</a>
  <input type="hidden" name="a" value="mass_process" >
  <input type="hidden" name="status" value="<?php echo $status; ?>" >
-- 
GitLab