From e7a6ed20e8ea073d7bf14890c766b17de444cf79 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 24 Dec 2019 15:27:43 +0100
Subject: [PATCH 1/2] [ticket/security-251] Check form token when moving PM to
 folder

SECURITY-251
---
 phpBB/includes/ucp/ucp_pm.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index 4d02620e89..3f982c8dd0 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -193,6 +193,8 @@ class ucp_pm
 					trigger_error('NO_AUTH_READ_HOLD_MESSAGE');
 				}
 
+				add_form_key('ucp_pm_view');
+
 				// First Handle Mark actions and moving messages
 				$submit_mark	= (isset($_POST['submit_mark'])) ? true : false;
 				$move_pm		= (isset($_POST['move_pm'])) ? true : false;
@@ -210,6 +212,11 @@ class ucp_pm
 				// Move PM
 				if ($move_pm)
 				{
+					if (!check_form_key('ucp_pm_view'))
+					{
+						trigger_error('FORM_INVALID');
+					}
+
 					$move_msg_ids	= (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array();
 					$cur_folder_id	= $request->variable('cur_folder_id', PRIVMSGS_NO_BOX);
 

From 25c80df156ecd5389734265f8fdf6908212984b4 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 26 Dec 2019 14:40:23 +0100
Subject: [PATCH 2/2] [ticket/security-252] Check form token on marking PM

SECURITY-252
---
 phpBB/includes/ucp/ucp_pm.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index 3f982c8dd0..00d1ce7149 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -209,14 +209,14 @@ class ucp_pm
 					$submit_mark = false;
 				}
 
+				if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view'))
+				{
+					trigger_error('FORM_INVALID');
+				}
+
 				// Move PM
 				if ($move_pm)
 				{
-					if (!check_form_key('ucp_pm_view'))
-					{
-						trigger_error('FORM_INVALID');
-					}
-
 					$move_msg_ids	= (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array();
 					$cur_folder_id	= $request->variable('cur_folder_id', PRIVMSGS_NO_BOX);