Ok, here comes a big one. Poor updater. Also requires testing.

#i91
#i92
#i93
#i94
#i95
#i96


git-svn-id: file:///svn/phpbb/trunk@8120 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/adm/style/acp_attachments.html

@@ -216,7 +216,7 @@
 		</p>
 
 		</fieldset>
-
+		{S_FORM_TOKEN}
 		</form>
 	<!-- ELSE -->
 
@@ -258,6 +258,7 @@
 				<input class="button2" name="add" type="submit" value="{L_SUBMIT}" />
 		</p>
 		</fieldset>
+		{S_FORM_TOKEN}
 		</form>
 
 	<!-- ENDIF -->
@@ -280,7 +281,7 @@
 		<input type="submit" id="add_extension_check" name="add_extension_check" class="button2" value="{L_SUBMIT}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 	
 	<br />
@@ -320,7 +321,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-	
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_ORPHAN -->
@@ -368,7 +369,7 @@
 	</p>
 
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_bbcodes.html

@@ -77,7 +77,7 @@
 	<!-- END token -->
 	</tbody>
 	</table>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -111,7 +111,7 @@
 		<input class="button2" name="submit" type="submit" value="{L_ADD_BBCODE}" />
 	</p>
 	</fieldset>
-
+{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_board.html

@@ -45,6 +45,7 @@
 
 </fieldset>
 
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_bots.html

@@ -51,7 +51,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -94,7 +94,7 @@
 		<input class="button2" name="submit" type="submit" value="{L_SUBMIT}" />
 		<p class="small"><a href="#" onclick="marklist('acp_bots', 'mark', true);">{L_MARK_ALL}</a> &bull; <a href="#" onclick="marklist('acp_bots', 'mark', false);">{L_UNMARK_ALL}</a></p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_captcha.html

@@ -64,7 +64,7 @@
 	<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />&nbsp;
 	<input class="button2" type="submit" id="preview" name="preview" value="{L_PREVIEW}" />
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_database.html

@@ -25,6 +25,7 @@
 	<!-- ENDIF -->
 
 	</fieldset>
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -85,7 +86,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_disallow.html

@@ -39,7 +39,7 @@
 	<p>{L_NO_DISALLOWED}</p>
 <!-- ENDIF -->
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_email.html

@@ -48,7 +48,7 @@
 	<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 </p>
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_forums.html

@@ -312,7 +312,7 @@
 		<input class="button1" type="submit" id="submit" name="update" value="{L_SUBMIT}" />&nbsp;
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_DELETE_FORUM -->
@@ -361,7 +361,7 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_CONTINUE_SYNC -->
@@ -470,7 +470,7 @@
 
 		<input class="button2" type="submit" value="{L_GO}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 	<form id="forums" method="post" action="{U_ACTION}">
@@ -481,7 +481,7 @@
 		<input type="text" name="forum_name" value="" maxlength="255" />
 		<input class="button2" name="addforum" type="submit" value="{L_CREATE_FORUM}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_groups.html

@@ -155,7 +155,7 @@
 		<input class="button1" type="submit" id="submit" name="update" value="{L_SUBMIT}" />&nbsp;
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_LIST -->
@@ -261,7 +261,7 @@
 		<input class="button2" type="submit" name="addusers" value="{L_SUBMIT}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -310,7 +310,7 @@
 			<input type="hidden" name="add" value="1" />
 		<!-- ENDIF -->
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 	<h1>{L_SPECIAL_GROUPS}</h1>

phpBB/adm/style/acp_icons.html

@@ -160,7 +160,7 @@
 	</p>
 
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_CHOOSE_PAK -->
@@ -195,7 +195,7 @@
 	</p>
 	<!-- ENDIF -->
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -257,7 +257,7 @@
 		<input class="button2" name="add" type="submit" value="{L_ICON_ADD}" />&nbsp; &nbsp;<input class="button2" type="submit" name="edit" value="{L_ICON_EDIT}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_inactive.html

@@ -65,7 +65,7 @@
 
 
 
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_jabber.html

@@ -59,7 +59,7 @@
 	<input class="button1" type="submit" id="submit" name="submit" value="{L_SUBMIT}" />&nbsp;
 	<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_language.html

@@ -55,7 +55,7 @@
 		<input type="submit" name="update_details" class="button2" value="{L_SUBMIT}" />
 	</p>
 	</fieldset>
-	
+	{S_FORM_TOKEN}
 	</form>
 
 	<br /><br />
@@ -92,7 +92,7 @@
 		<!-- END missing -->
 		</tbody>
 		</table>
-
+		{S_FORM_TOKEN}
 		</form>
 
 		<br /><br />
@@ -161,7 +161,7 @@
 	</tr>
 	</tbody>
 	</table>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_UPLOAD -->
@@ -201,7 +201,7 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 		<input class="button1" type="submit" name="test_connection" value="{L_TEST_CONNECTION}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->

phpBB/adm/style/acp_logs.html

@@ -79,7 +79,7 @@
 <!-- ENDIF -->
 
 
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_modules.html

@@ -116,7 +116,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->

phpBB/adm/style/acp_permission_roles.html

@@ -125,7 +125,7 @@
 	<fieldset class="quick">
 		<input type="submit" class="button1" name="submit" value="{L_SUBMIT}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 	<a href="#maincontent">&raquo; {L_BACK_TO_TOP}</a><br />
@@ -179,7 +179,7 @@
 	<fieldset class="quick">
 		{L_CREATE_ROLE}: <input type="text" name="role_name" value="" maxlength="255" /><!-- IF S_ROLE_OPTIONS --> <select name="options_from"><option value="0" selected="selected">{L_CREATE_ROLE_FROM}</option>{S_ROLE_OPTIONS}</select><!-- ENDIF --> <input class="button2" type="submit" name="add" value="{L_SUBMIT}" /><br />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 	<!-- IF S_DISPLAY_ROLE_MASK -->

phpBB/adm/style/acp_permissions.html

@@ -39,7 +39,7 @@
 		</p>
 
 		</fieldset>
-
+		{S_FORM_TOKEN}
 		</form>
 
 		<!-- IF S_FORUM_MULTIPLE -->
@@ -60,7 +60,7 @@
 			</p>
 
 			</fieldset>
-
+			{S_FORM_TOKEN}
 			</form>
 			
 		<!-- ENDIF -->
@@ -83,7 +83,7 @@
 			<input type="submit" name="submit" value="{L_SUBMIT}" class="button1" />
 		</p>
 		</fieldset>
-
+		{S_FORM_TOKEN}
 		</form>
 
 	<!-- ELSEIF S_SELECT_GROUP and S_CAN_SELECT_GROUP -->
@@ -103,7 +103,7 @@
 		</p>
 
 		</fieldset>
-
+		{S_FORM_TOKEN}
 		</form>
 
 		<!-- ELSEIF S_SELECT_USERGROUP -->
@@ -128,7 +128,7 @@
 				{S_HIDDEN_FIELDS}
 				<input type="submit" class="button2" name="action[delete]" value="{L_REMOVE_PERMISSIONS}" style="width: 46% !important;" /> &nbsp; <input class="button1" type="submit" name="submit_edit_options" value="{L_EDIT_PERMISSIONS}" style="width: 46% !important;" />
 			</fieldset>
-			
+			{S_FORM_TOKEN}
 			</form>
 
 			<form id="add_user" method="post" action="{U_ACTION}">
@@ -146,7 +146,7 @@
 				{S_HIDDEN_FIELDS}
 				<input class="button1" type="submit" name="submit_add_options" value="{L_ADD_PERMISSIONS}" />
 			</fieldset>
-			
+			{S_FORM_TOKEN}
 			</form>
 
 		<!-- ENDIF -->
@@ -173,7 +173,7 @@
 				{S_HIDDEN_FIELDS}
 				<input class="button2" type="submit" name="action[delete]" value="{L_REMOVE_PERMISSIONS}" style="width: 46% !important;" /> &nbsp; <input class="button1" type="submit" name="submit_edit_options" value="{L_EDIT_PERMISSIONS}" style="width: 46% !important;" />
 			</fieldset>
-			
+			{S_FORM_TOKEN}
 			</form>
 
 			<form id="add_groups" method="post" action="{U_ACTION}">
@@ -190,6 +190,7 @@
 				<input type="submit" class="button1" name="submit_add_options" value="{L_ADD_PERMISSIONS}" />
 			</fieldset>
 			
+			{S_FORM_TOKEN}
 			</form>
 
 		<!-- ENDIF -->
@@ -216,6 +217,7 @@
 				<input class="button1" type="submit" name="submit" value="{L_VIEW_PERMISSIONS}" />
 			</fieldset>
 			
+			{S_FORM_TOKEN}
 			</form>
 
 			<form id="add_user" method="post" action="{U_ACTION}">
@@ -234,7 +236,7 @@
 				{S_HIDDEN_FIELDS}
 				<input type="submit" name="submit" value="{L_VIEW_PERMISSIONS}" class="button1" />
 			</fieldset>
-
+			{S_FORM_TOKEN}
 			</form>
 
 		</div>
@@ -257,6 +259,7 @@
 				<input class="button1" type="submit" name="submit" value="{L_VIEW_PERMISSIONS}" />
 			</fieldset>
 			
+			{S_FORM_TOKEN}
 			</form>
 
 			<form id="group" method="post" action="{U_ACTION}">
@@ -275,6 +278,7 @@
 				<input type="submit" name="submit" value="{L_VIEW_PERMISSIONS}" class="button1" />
 			</fieldset>
 
+			{S_FORM_TOKEN}
 			</form>
 
 		</div>
@@ -318,7 +322,7 @@
 
 			<input class="button2" type="submit" name="submit" value="{L_GO}" />
 		</fieldset>
-	
+		{S_FORM_TOKEN}	
 		</form>
 	<!-- ENDIF -->
 
@@ -347,6 +351,7 @@
 
 	<br /><br />
 	
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_profile.html

@@ -156,7 +156,7 @@
 		</fieldset>
 	
 	<!-- ENDIF -->
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -217,7 +217,7 @@
 		<input class="button1" type="submit" name="submit" value="{L_CREATE_NEW_FIELD}" />
 		<input type="hidden" name="create" value="1" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_prune_forums.html

@@ -101,7 +101,7 @@
 		<input class="button1" type="submit" id="submit" name="submit" value="{L_SUBMIT}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_prune_users.html

@@ -53,7 +53,7 @@
 	<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 </p>
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/adm/style/acp_ranks.html

@@ -52,7 +52,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -90,7 +90,7 @@
 		<input class="button2" name="add" type="submit" value="{L_ADD_RANK}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_reasons.html

@@ -54,7 +54,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -119,6 +119,7 @@
 	</p>
 	</fieldset>
 	
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_search.html

@@ -61,6 +61,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</fieldset>
 
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_INDEX -->
@@ -90,6 +91,7 @@
 				<input class="button1" type="submit" id="continue" name="continue" value="{L_CONTINUE}" onclick="popup_progress_bar('{S_CONTINUE_INDEXING}');" />&nbsp;
 				<input class="button2" type="submit" id="cancel" name="cancel" value="{L_CANCEL}" />
 			</fieldset>
+		{S_FORM_TOKEN}
 		</form>
 	<!-- ELSE -->
 
@@ -140,7 +142,7 @@
 			<!-- ENDIF -->
 			</p>
 			</fieldset>
-
+			{S_FORM_TOKEN}
 			</form>
 		<!-- END backend -->
 

phpBB/adm/style/acp_styles.html

@@ -27,7 +27,7 @@
 		<input class="button1" type="submit" name="update" value="{L_DELETE}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_EDIT_IMAGESET -->
@@ -148,7 +148,7 @@
 		<legend>{L_SUBMIT}</legend>
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />&nbsp;&nbsp;<input class="button2" type="reset" value="{L_RESET}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_EDIT_TEMPLATE or S_EDIT_THEME -->
@@ -173,6 +173,7 @@
 	</fieldset>
 	<!-- ENDIF -->
 	
+	{S_FORM_TOKEN}
 	</form>
 
 	<!-- IF TEMPLATE_FILE or (S_EDIT_THEME and S_THEME_IN_DB) -->
@@ -255,6 +256,7 @@
 			<input class="button1" id="save" type="submit" name="save" value="{L_SUBMIT}" />
 		</fieldset>
 		
+		{S_FORM_TOKEN}
 		</form>
 	<!-- ENDIF -->
 
@@ -304,6 +306,7 @@
 	</p>
 	</fieldset>
 
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_EXPORT -->
@@ -361,6 +364,7 @@
 	</p>
 	</fieldset>
 
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_FRONTEND -->
@@ -506,6 +510,7 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</fieldset>
 	
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_users.html

@@ -47,7 +47,7 @@
 	<fieldset class="quick">
 		<input type="submit" name="update" value="{L_SUBMIT}" class="button1" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -70,7 +70,7 @@
 	<fieldset class="quick">
 		{L_SELECT_FORM}: <select name="mode" onchange="if (this.options[this.selectedIndex].value != '') this.form.submit();">{S_FORM_OPTIONS}</select> <input class="button2" type="submit" value="{L_GO}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->
@@ -110,7 +110,7 @@
 	<fieldset class="quick">
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_SIGNATURE -->
@@ -145,7 +145,7 @@
 			{L_USER_GROUP_ADD}: <select name="g">{S_GROUP_OPTIONS}</select> <input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 		</fieldset>
 	<!-- ENDIF -->
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_ATTACHMENTS -->
@@ -202,7 +202,7 @@
 		<input class="button2" type="submit" name="delmarked" value="{L_DELETE_MARKED}" />
 		<p class="small"><a href="#" onclick="marklist('user_attachments', 'mark', true);">{L_MARK_ALL}</a> &bull; <a href="#" onclick="marklist('user_attachments', 'mark', false);">{L_UNMARK_ALL}</a></p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSEIF S_PERMISSIONS -->
@@ -218,7 +218,7 @@
 			{L_SELECT_FORUM}: <select name="f">{S_FORUM_OPTIONS}</select> 
 			<input class="button2" type="submit" value="{L_GO}" name="select" />
 		</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 	<div class="clearfix">&nbsp;</div>

phpBB/adm/style/acp_users_avatar.html

@@ -72,4 +72,5 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</fieldset>
 	
+	{S_FORM_TOKEN}
 	</form>

phpBB/adm/style/acp_users_feedback.html

@@ -72,5 +72,5 @@
 	<fieldset class="quick">
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>

phpBB/adm/style/acp_users_overview.html

@@ -64,7 +64,7 @@
 </p>
 
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- IF not S_USER_FOUNDER or S_FOUNDER -->
@@ -138,6 +138,7 @@
 
 	</fieldset>
 	
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ENDIF -->

phpBB/adm/style/acp_users_prefs.html

@@ -154,4 +154,5 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</fieldset>
 
+	{S_FORM_TOKEN}
 	</form>

phpBB/adm/style/acp_users_profile.html

@@ -63,4 +63,5 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />
 	</fieldset>
 
+	{S_FORM_TOKEN}
 	</form>

phpBB/adm/style/acp_users_signature.html

@@ -113,5 +113,5 @@
 		<input class="button1" type="submit" name="update" value="{L_SUBMIT}" />&nbsp;
 		<input class="button2" type="submit" name="preview" value="{L_PREVIEW}" />
 	</fieldset>
-
+{S_FORM_TOKEN}
 </form>

phpBB/adm/style/acp_words.html

@@ -29,7 +29,7 @@
 		<input class="button2" type="reset" id="reset" name="reset" value="{L_RESET}" />
 	</p>
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -67,7 +67,7 @@
 	</table>
 
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 <!-- ENDIF -->
 

phpBB/develop/create_schema_files.php

@@ -1842,6 +1842,8 @@ function get_schema_struct()
 			'user_interests'			=> array('TEXT_UNI', ''),
 			'user_actkey'				=> array('VCHAR:32', ''),
 			'user_newpasswd'			=> array('VCHAR_UNI:32', ''),
+			'user_form_salt'			=> array('VCHAR_UNI:32', ''),
+
 		),
 		'PRIMARY_KEY'	=> 'user_id',
 		'KEYS'			=> array(
@@ -2020,4 +2022,6 @@ EOF;
 	return '';
 }
 
+echo 'done';
+
 ?>

phpBB/includes/acp/acp_attachments.php

@@ -27,6 +27,14 @@ class acp_attachments
 		$submit = (isset($_POST['submit'])) ? true : false;
 		$action = request_var('action', '');
 
+		$form_key = 'acp_attach';
+		add_form_key($form_key);
+
+		if ($submit && !check_form_key($form_key))
+		{
+			trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+		}
+
 		switch ($mode)
 		{
 			case 'attach':

phpBB/includes/acp/acp_ban.php

@@ -28,6 +28,13 @@ class acp_ban
 
 		$user->add_lang(array('acp/ban', 'acp/users'));
 		$this->tpl_name = 'acp_ban';
+		$form_key = 'acp_ban';
+		add_form_key($form_key);
+
+		if(($bansubmit || $unbansubmit) && !check_form_key($form_key))
+		{
+			trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+		}
 
 		// Ban submitted?
 		if ($bansubmit)

phpBB/includes/acp/acp_bbcodes.php

@@ -28,6 +28,9 @@ class acp_bbcodes
 
 		$this->tpl_name = 'acp_bbcodes';
 		$this->page_title = 'ACP_BBCODES';
+		$form_key = 'acp_bbcodes';
+
+		add_form_key($form_key);
 
 		// Set up mode-specific vars
 		switch ($action)

phpBB/includes/acp/acp_board.php

@@ -27,6 +27,9 @@ class acp_board
 		$action	= request_var('action', '');
 		$submit = (isset($_POST['submit'])) ? true : false;
 
+		$form_key = 'acp_board';
+		add_form_key($form_key);
+
 		/**
 		*	Validation types are:
 		*		string, int, bool,
@@ -314,6 +317,8 @@ class acp_board
 						'chg_passforce'			=> array('lang' => 'FORCE_PASS_CHANGE',		'validate' => 'int',	'type' => 'text:3:3', 'explain' => true, 'append' => ' ' . $user->lang['DAYS']),
 						'max_login_attempts'	=> array('lang' => 'MAX_LOGIN_ATTEMPTS',	'validate' => 'int',	'type' => 'text:3:3', 'explain' => true),
 						'tpl_allow_php'			=> array('lang' => 'TPL_ALLOW_PHP',			'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
+						'form_token_lifetime'	=> array('lang' => 'FORM_TIME_MAX',			'validate' => 'int',	'type' => 'text:5:5', 'explain' => true, 'append' => ' ' . $user->lang['SECONDS']),
+						'form_token_mintime'	=> array('lang' => 'FORM_TIME_MIN',			'validate' => 'int',	'type' => 'text:5:5', 'explain' => true, 'append' => ' ' . $user->lang['SECONDS']),
 					)
 				);
 			break;
@@ -360,6 +365,10 @@ class acp_board
 		// We validate the complete config if whished
 		validate_config_vars($display_vars['vars'], $cfg_array, $error);
 
+		if ($submit && !check_form_key($form_key))
+		{
+			$error[] = $user->lang['FORM_INVALID'];
+		}
 		// Do not write values if there is an error
 		if (sizeof($error))
 		{

phpBB/includes/acp/acp_bots.php

@@ -35,6 +35,13 @@ class acp_bots
 		$user->add_lang('acp/bots');
 		$this->tpl_name = 'acp_bots';
 		$this->page_title = 'ACP_BOTS';
+		$form_key = 'acp_bots';
+		add_form_key($form_key);
+
+		if ($submit && !check_form_key($form_key))
+		{
+			$error[] = $user->lang['FORM_INVALID'];
+		}
 
 		// User wants to do something, how inconsiderate of them!
 		switch ($action)

phpBB/includes/acp/acp_captcha.php

@@ -57,9 +57,12 @@ class acp_captcha
 
 		$this->tpl_name = 'acp_captcha';
 		$this->page_title = 'ACP_VC_SETTINGS';
+		$form_key = 'acp_captcha';
+		add_form_key($form_key);
+
 		$submit = request_var('submit', '');
 
-		if ($submit)
+		if ($submit && check_form_key($form_key))
 		{
 			$config_vars = array_keys($config_vars);
 			foreach ($config_vars as $config_var)
@@ -73,6 +76,10 @@ class acp_captcha
 			}
 			trigger_error($user->lang['CONFIG_UPDATED'] . adm_back_link($this->u_action));
 		}
+		else if ($submit)
+		{
+				trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action));
+		}
 		else
 		{
 			

phpBB/includes/acp/acp_disallow.php

@@ -28,9 +28,17 @@ class acp_disallow
 		$this->tpl_name = 'acp_disallow';
 		$this->page_title = 'ACP_DISALLOW_USERNAMES';
 
+		$form_key = 'acp_disallow';
+		add_form_key($form_key);
+
 		$disallow = (isset($_POST['disallow'])) ? true : false;
 		$allow = (isset($_POST['allow'])) ? true : false;
 
+		if (($allow || $disallow) && !check_form_key($form_key))
+		{
+			trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+		}
+
 		if ($disallow)
 		{
 			$disallowed_user = str_replace('*', '%', utf8_normalize_nfc(request_var('disallowed_user', '', true)));

phpBB/includes/acp/acp_email.php

@@ -24,6 +24,9 @@ class acp_email
 		$this->tpl_name = 'acp_email';
 		$this->page_title = 'ACP_MASS_EMAIL';
 
+		$form_key = 'acp_email';
+		add_form_key($form_key);
+
 		// Set some vars
 		$submit = (isset($_POST['submit'])) ? true : false;
 		$error = array();
@@ -41,6 +44,11 @@ class acp_email
 			$use_queue		= (isset($_POST['send_immediately'])) ? false : true;
 			$priority		= request_var('mail_priority_flag', MAIL_NORMAL_PRIORITY);
 
+			if (!check_form_key($form_key))
+			{
+				$error[] = $user->lang['FORM_INVALID'];
+			}
+
 			if (!$subject)
 			{
 				$error[] = $user->lang['NO_EMAIL_SUBJECT'];

phpBB/includes/acp/acp_forums.php

@@ -25,6 +25,9 @@ class acp_forums
 		$this->tpl_name = 'acp_forums';
 		$this->page_title = 'ACP_MANAGE_FORUMS';
 
+		$form_key = 'acp_forums';
+		add_form_key($form_key);
+
 		$action		= request_var('action', '');
 		$update		= (isset($_POST['update'])) ? true : false;
 		$forum_id	= request_var('f', 0);
@@ -33,6 +36,12 @@ class acp_forums
 
 		$forum_data = $errors = array();
 
+		if ($update && !check_form_key($form_key))
+		{
+			$update = false;
+			$error[] = $user->lang['FORM_INVALID'];
+		}
+
 		// Check additional permissions
 		switch ($action)
 		{

phpBB/includes/acp/acp_groups.php

@@ -24,6 +24,9 @@ class acp_groups
 		$this->tpl_name = 'acp_groups';
 		$this->page_title = 'ACP_GROUPS_MANAGE';
 
+		$form_key = 'acp_groups';
+		add_form_key($form_key);
+
 		include($phpbb_root_path . 'includes/functions_user.' . $phpEx);
 
 		// Check and set some common vars
@@ -36,6 +39,7 @@ class acp_groups
 		$start		= request_var('start', 0);
 		$update		= (isset($_POST['update'])) ? true : false;
 
+
 		// Clear some vars
 		$can_upload = (file_exists($phpbb_root_path . $config['avatar_path']) && @is_writable($phpbb_root_path . $config['avatar_path']) && $file_uploads) ? true : false;
 		$group_row = array();
@@ -258,6 +262,11 @@ class acp_groups
 				// Did we submit?
 				if ($update)
 				{
+					if (!check_form_key($form_key))
+					{
+						trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+					}
+
 					$group_name	= utf8_normalize_nfc(request_var('group_name', '', true));
 					$group_desc = utf8_normalize_nfc(request_var('group_desc', '', true));
 					$group_type	= request_var('group_type', GROUP_FREE);

phpBB/includes/acp/acp_inactive.php

@@ -33,14 +33,23 @@ class acp_inactive
 		$action = request_var('action', '');
 		$mark	= (isset($_REQUEST['mark'])) ? request_var('mark', array(0)) : array();
 		$start	= request_var('start', 0);
+		$submit = isset($_POST['submit']);
 
 		// Sort keys
 		$sort_days	= request_var('st', 0);
 		$sort_key	= request_var('sk', 'i');
 		$sort_dir	= request_var('sd', 'd');
 
-		if (sizeof($mark))
+		$form_key = 'acp_inactive';
+		add_form_key($form_key);
+
+		if ($submit && sizeof($mark))
 		{
+			if (!check_form_key($form_key))
+			{
+				trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+			}
+
 			switch ($action)
 			{
 				case 'activate':

phpBB/includes/acp/acp_jabber.php

@@ -44,8 +44,16 @@ class acp_jabber
 		$jab_package_size	= request_var('jab_package_size', $config['jab_package_size']);
 		$jab_use_ssl		= request_var('jab_use_ssl', $config['jab_use_ssl']);
 
+		$form_name = 'acp_jabber';
+		add_form_key($form_name);
+
 		if ($submit)
 		{
+			if(!check_form_key($form_name))
+			{
+				trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+			}
+
 			$error = array();
 
 			$message = $user->lang['JAB_SETTINGS_CHANGED'];

phpBB/includes/acp/acp_language.php

@@ -32,14 +32,19 @@ class acp_language
 		$this->default_variables();
 
 		// Check and set some common vars
-		$action		= request_var('action', '');
 
-		$action		= (isset($_POST['update_details'])) ? 'update_details' : $action;
-		$action		= (isset($_POST['download_file'])) ? 'download_file' : $action;
-		$action		= (isset($_POST['upload_file'])) ? 'upload_file' : $action;
-		$action		= (isset($_POST['upload_data'])) ? 'upload_data' : $action;
-		$action		= (isset($_POST['submit_file'])) ? 'submit_file' : $action;
-		$action		= (isset($_POST['remove_store'])) ? 'details' : $action;
+		$action		= (isset($_POST['update_details'])) ? 'update_details' : '';
+		$action		= (isset($_POST['download_file'])) ? 'download_file' : '';
+		$action		= (isset($_POST['upload_file'])) ? 'upload_file' : '';
+		$action		= (isset($_POST['upload_data'])) ? 'upload_data' : '';
+		$action		= (isset($_POST['submit_file'])) ? 'submit_file' : '';
+		$action		= (isset($_POST['remove_store'])) ? 'details' : '';
+
+		$submit = (empty($action)) ? false : true;
+		$action = (empty($action)) ? request_var('action', '') : $action;
+
+		$form_name = 'acp_lang';
+		add_form_key('acp_lang');
 
 		$lang_id = request_var('id', 0);
 		if (isset($_POST['missing_file']))
@@ -59,7 +64,7 @@ class acp_language
 		$this->tpl_name = 'acp_language';
 		$this->page_title = 'ACP_LANGUAGE_PACKS';
 
-		if ($action == 'upload_data' && request_var('test_connection', ''))
+		if ($submit && $action == 'upload_data' && request_var('test_connection', ''))
 		{
 			$test_connection = false;
 			$action = 'upload_file';
@@ -89,6 +94,7 @@ class acp_language
 		switch ($action)
 		{
 			case 'upload_file':
+
 				include_once($phpbb_root_path . 'includes/functions_transfer.' . $phpEx);
 
 				$method = request_var('method', '');
@@ -132,6 +138,11 @@ class acp_language
 
 			case 'update_details':
 
+				if(!$submit || !check_form_key($form_name))
+				{
+					trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$lang_id)
 				{
 					trigger_error($user->lang['NO_LANG_ID'] . adm_back_link($this->u_action), E_USER_WARNING);
@@ -163,6 +174,11 @@ class acp_language
 			case 'download_file':
 			case 'upload_data':
 				
+				if(!$submit || !check_form_key($form_name))
+				{
+					trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$lang_id || empty($_POST['entry']))
 				{
 					trigger_error($user->lang['NO_LANG_ID'] . adm_back_link($this->u_action), E_USER_WARNING);

phpBB/includes/acp/acp_permission_roles.php

@@ -35,6 +35,9 @@ class acp_permission_roles
 		$action = request_var('action', '');
 		$action = (isset($_POST['add'])) ? 'add' : $action;
 
+		$form_name = 'acp_permissions';
+		add_form_key($form_name);
+
 		switch ($mode)
 		{
 			case 'admin_roles':
@@ -134,6 +137,11 @@ class acp_permission_roles
 
 				case 'add':
 
+					if(!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+					}
+
 					$role_name = utf8_normalize_nfc(request_var('role_name', '', true));
 					$role_description = utf8_normalize_nfc(request_var('role_description', '', true));
 					$auth_settings = request_var('setting', array('' => 0));

phpBB/includes/acp/acp_permissions.php

@@ -46,7 +46,6 @@ class acp_permissions
 				$this->permission_trace($user_id, $forum_id, $permission);
 				return;
 			}
-			
 			trigger_error('NO_MODE', E_USER_ERROR);
 		}
 
@@ -66,6 +65,9 @@ class acp_permissions
 		$group_id = request_var('group_id', array(0));
 		$select_all_groups = request_var('select_all_groups', 0);
 
+		$form_name = 'acp_permissions';
+		add_form_key($form_name);
+
 		// If select all groups is set, we pre-build the group id array (this option is used for other screens to link to the permission settings screen)
 		if ($select_all_groups)
 		{
@@ -214,6 +216,11 @@ class acp_permissions
 			switch ($action)
 			{
 				case 'delete':
+
+					if(!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+					}
 					// All users/groups selected?
 					$all_users = (isset($_POST['all_users'])) ? true : false;
 					$all_groups = (isset($_POST['all_groups'])) ? true : false;
@@ -247,6 +254,10 @@ class acp_permissions
 					{
 						trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
 					}
+					if(!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+					}
 
 					$this->set_permissions($mode, $permission_type, $auth_admin, $user_id, $group_id);
 				break;
@@ -256,6 +267,10 @@ class acp_permissions
 					{
 						trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
 					}
+					if(!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+					}
 
 					$this->set_all_permissions($mode, $permission_type, $auth_admin, $user_id, $group_id);
 				break;

phpBB/includes/acp/acp_ranks.php

@@ -31,10 +31,17 @@ class acp_ranks
 		$this->tpl_name = 'acp_ranks';
 		$this->page_title = 'ACP_MANAGE_RANKS';
 
+		$form_name = 'acp_prune';
+		add_form_key($form_name);
+
 		switch ($action)
 		{
 			case 'save':
 
+				if(!check_form_key($form_name))
+				{
+					trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+				}
 				$rank_title = utf8_normalize_nfc(request_var('title', '', true));
 				$special_rank = request_var('special_rank', 0);
 				$min_posts = ($special_rank) ? 0 : request_var('min_posts', 0);
@@ -124,6 +131,11 @@ class acp_ranks
 			case 'edit':
 			case 'add':
 
+				if(!check_form_key($form_name))
+				{
+					trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				$data = $ranks = $existing_imgs = array();
 				
 				$sql = 'SELECT * 

phpBB/includes/acp/acp_reasons.php

@@ -30,6 +30,9 @@ class acp_reasons
 		$this->tpl_name = 'acp_reasons';
 		$this->page_title = 'ACP_REASONS';
 
+		$form_name = 'acp_reason';
+		add_form_key('acp_reason');
+
 		$error = array();
 
 		switch ($action)
@@ -44,6 +47,10 @@ class acp_reasons
 
 				if ($submit)
 				{
+					if(!check_form_key($form_name))
+					{
+						$error[] = $user->lang['FORM_INVALID'];
+					}
 					// Reason specified?
 					if (!$reason_row['reason_title'] || !$reason_row['reason_description'])
 					{

phpBB/includes/acp/acp_users.php

@@ -37,6 +37,9 @@ class acp_users
 
 		$submit		= (isset($_POST['update'])) ? true : false;
 
+		$form_name = 'acp_users';
+		add_form_key($form_name);
+
 		// Whois (special case)
 		if ($action == 'whois')
 		{
@@ -218,6 +221,11 @@ class acp_users
 								trigger_error($user->lang['CANNOT_BAN_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
 							}
 
+							if (!check_form_key($form_name))
+							{
+								trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+							}
+
 							$ban = array();
 
 							switch ($action)
@@ -270,6 +278,11 @@ class acp_users
 								trigger_error($user->lang['CANNOT_FORCE_REACT_YOURSELF'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
 							}
 
+							if (!check_form_key($form_name))
+							{
+								trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+							}
+
 							if ($user_row['user_type'] == USER_FOUNDER)
 							{
 								trigger_error($user->lang['CANNOT_FORCE_REACT_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
@@ -337,6 +350,11 @@ class acp_users
 								trigger_error($user->lang['CANNOT_DEACTIVATE_YOURSELF'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
 							}
 
+							if (!check_form_key($form_name))
+							{
+								trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+							}
+
 							if ($user_row['user_type'] == USER_FOUNDER)
 							{
 								trigger_error($user->lang['CANNOT_DEACTIVATE_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
@@ -361,6 +379,11 @@ class acp_users
 
 						case 'delsig':
 
+							if (!check_form_key($form_name))
+							{
+								trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+							}
+
 							$sql_ary = array(
 								'user_sig'					=> '',
 								'user_sig_bbcode_uid'		=> '',
@@ -380,6 +403,11 @@ class acp_users
 
 						case 'delavatar':
 
+							if (!check_form_key($form_name))
+							{
+								trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+							}
+
 							$sql_ary = array(
 								'user_avatar'			=> '',
 								'user_avatar_type'		=> 0,
@@ -451,6 +479,11 @@ class acp_users
 						
 						case 'moveposts':
 
+							if (!check_form_key($form_name))
+							{
+								trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+							}
+
 							$user->add_lang('acp/forums');
 
 							$new_forum_id = request_var('new_f', 0);
@@ -654,6 +687,11 @@ class acp_users
 						$error[] = 'NEW_EMAIL_ERROR';
 					}
 
+					if (!check_form_key($form_name))
+					{
+						$error[] = 'FORM_INVALID';
+					}
+
 					// Which updates do we need to do?
 					$update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false;
 					$update_password = ($data['new_password'] && $user_row['user_password'] != md5($data['new_password'])) ? true : false;
@@ -882,6 +920,11 @@ class acp_users
 				// Delete entries if requested and able
 				if (($deletemark || $deleteall) && $auth->acl_get('a_clearlogs'))
 				{
+					if (!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+					}
+
 					$where_sql = '';
 					if ($deletemark && $marked)
 					{
@@ -907,6 +950,11 @@ class acp_users
 
 				if ($submit && $message)
 				{
+					if (!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+					}
+
 					add_log('admin', 'LOG_USER_FEEDBACK', $user_row['username']);
 					add_log('mod', 0, 0, 'LOG_USER_FEEDBACK', $user_row['username']);
 					add_log('user', $user_id, 'LOG_USER_GENERAL', $message);
@@ -1027,6 +1075,10 @@ class acp_users
 					{
 						$error = array_merge($error, $cp_error);
 					}
+					if (!check_form_key($form_name))
+					{
+						$error[] = 'FORM_INVALID';
+					}
 
 					if (!sizeof($error))
 					{
@@ -1205,6 +1257,11 @@ class acp_users
 						'post_sd'		=> array('string', false, 1, 1),
 					));
 
+					if (!check_form_key($form_name))
+					{
+						$error[] = 'FORM_INVALID';
+					}
+
 					if (!sizeof($error))
 					{
 						$this->optionset($user_row, 'popuppm', $data['popuppm']);
@@ -1368,6 +1425,12 @@ class acp_users
 
 				if ($submit)
 				{
+
+					if (!check_form_key($form_name))
+					{
+							trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+					}
+
 					if (avatar_process_user($error, $user_row))
 					{
 						trigger_error($user->lang['USER_AVATAR_UPDATED'] . adm_back_link($this->u_action . '&u=' . $user_row['user_id']));
@@ -1410,6 +1473,11 @@ class acp_users
 
 				if ($submit)
 				{
+					if (!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
+					}
+
 					$rank_id = request_var('user_rank', 0);
 
 					$sql = 'UPDATE ' . USERS_TABLE . "
@@ -1468,6 +1536,11 @@ class acp_users
 						$error[] = implode('<br />', $message_parser->warn_msg);
 					}
 
+					if (!check_form_key($form_name))
+					{
+						$error = 'FORM_INVALID';
+					}
+
 					if (!sizeof($error) && $submit)
 					{
 						$sql_ary = array(
@@ -1733,6 +1806,12 @@ class acp_users
 				// Add user to group?
 				if ($submit)
 				{
+
+					if (!check_form_key($form_name))
+					{
+						trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&amp;u=' . $user_id), E_USER_WARNING);
+					}
+
 					if (!$group_id)
 					{
 						trigger_error($user->lang['NO_GROUP'] . adm_back_link($this->u_action . '&amp;u=' . $user_id), E_USER_WARNING);

phpBB/includes/acp/acp_words.php

@@ -33,6 +33,9 @@ class acp_words
 		$this->tpl_name = 'acp_words';
 		$this->page_title = 'ACP_WORDS';
 
+		$form_name = 'acp_words';
+		add_form_key($form_name);
+
 		switch ($action)
 		{
 			case 'edit':
@@ -68,6 +71,11 @@ class acp_words
 			break;
 
 			case 'save':
+
+				if(!check_form_key($form_name))
+				{
+					trigger_error($user->lang['FORM_INVALID']. adm_back_link($this->u_action), E_USER_WARNING);
+				}
 				$word_id		= request_var('id', 0);
 				$word			= utf8_normalize_nfc(request_var('word', '', true));
 				$replacement	= utf8_normalize_nfc(request_var('replacement', '', true));

phpBB/includes/functions.php

@@ -1964,6 +1964,70 @@ function meta_refresh($time, $url)
 	);
 }
 
+//Form validation
+
+/**
+* Add a secret token to the form (requires the S_FORM_TOKEN template variable)
+* @param string  $form_name The name of the form; has to match the name used in check_form_key, otherwise no restrictions apply
+*/
+function add_form_key($form_name)
+{
+	global $template, $user;
+	$now = time();
+	$token = sha1($now . $user->data['user_form_salt'] . $form_name);
+
+	$s_fields = build_hidden_fields(array(
+			'creation_time' => $now,
+			'form_token'	=> $token,
+	));
+	$template->assign_vars(array(
+			'S_FORM_TOKEN'	=> $s_fields,
+	));
+}
+
+/**
+* Check the form key. Required for all altering actions not secured by confirm_box
+* @param string  $form_name The name of the form; has to match the name used in add_form_key, otherwise no restrictions apply
+* @param int $timespan The maximum acceptable age for a submitted form in seconds. Defaults to the config setting.
+* @param string $return_page The address for the return link
+* @param bool $trigger If true, the function will triger an error when encountering an invalid form
+* @param int $minimum_time The minimum acceptable age for a submitted form in seconds
+*/
+function check_form_key($form_name, $timespan = false, $return_page = '', $trigger = false, $miniumum_time = false)
+{
+	global $user, $config;
+
+	if ($timespan === false) 
+	{
+		$timespan = $config['form_token_lifetime'];
+	}
+	if ($miniumum_time === false)
+	{
+		$miniumum_time = $config['form_token_mintime'];
+	}
+	if (isset($_POST['creation_time']) && isset($_POST['form_token']))
+	{
+		$creation_time	= abs(request_var('creation_time', 0));
+		$token = request_var('form_token', '');
+
+		$diff = (time() - $creation_time);
+
+		if (($diff > $miniumum_time) && (($diff < $timespan) || $timespan == -1))
+		{
+			$key = sha1($creation_time . $user->data['user_form_salt'] . $form_name);
+			if ($key === $token)
+			{
+				return true;
+			}
+		}
+	}
+	if ($trigger)
+	{
+		trigger_error($user->lang['FORM_INVALID'] . $return_page);
+	}
+	return false;
+}
+
 // Message/Login boxes
 
 /**

phpBB/includes/functions_posting.php

@@ -1930,6 +1930,9 @@ function submit_post($mode, $subject, $username, $topic_type, &$poll, &$data, $u
 		}
 
 		$sql_insert_ary = array();
+		$sql_delete_array = array();
+		
+		print_r($cur_poll_options);
 		for ($i = 0, $size = sizeof($poll['poll_options']); $i < $size; $i++)
 		{
 			if (strlen(trim($poll['poll_options'][$i])))
@@ -1952,6 +1955,10 @@ function submit_post($mode, $subject, $username, $topic_type, &$poll, &$data, $u
 					$db->sql_query($sql);
 				}
 			}
+			else if (!empty($cur_poll_options[$i]))
+			{
+				$sql_delete_array[] = $cur_poll_options[$i]['poll_option_id'];
+			}
 		}
 
 		$db->sql_multi_insert(POLL_OPTIONS_TABLE, $sql_insert_ary);

phpBB/includes/mcp/mcp_ban.php

@@ -50,7 +50,6 @@ class mcp_ban
 			$ban_reason			= utf8_normalize_nfc(request_var('banreason', '', true));
 			$ban_give_reason	= utf8_normalize_nfc(request_var('bangivereason', '', true));
 
-
 			if ($ban)
 			{
 				if (confirm_box(true))

phpBB/includes/mcp/mcp_notes.php

@@ -74,6 +74,8 @@ class mcp_notes
 		$sk	= request_var('sk', 'b');
 		$sd	= request_var('sd', 'd');
 
+		add_form_key('mcp_notes');
+
 		$sql_where = ($user_id) ? "user_id = $user_id" : "username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
 
 		$sql = 'SELECT *
@@ -120,6 +122,8 @@ class mcp_notes
 			}
 
 			if ($where_sql || $deleteall)
+			{
+				if (check_form_key('mcp_notes'))
 				{
 					$sql = 'DELETE FROM ' . LOG_TABLE . '
 						WHERE log_type = ' . LOG_USERS . " 
@@ -130,6 +134,11 @@ class mcp_notes
 					add_log('admin', 'LOG_CLEAR_USER', $userrow['username']);
 
 					$msg = ($deletemark) ? 'MARKED_NOTES_DELETED' : 'ALL_NOTES_DELETED';
+				}
+				else
+				{
+					$msg = 'FORM_INVALID';
+				}
 				$redirect = $this->u_action . '&u=' . $user_id;
 				meta_refresh(3, $redirect);
 				trigger_error($user->lang[$msg] . '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $redirect . '">', '</a>'));
@@ -137,16 +146,23 @@ class mcp_notes
 		}
 
 		if ($usernote && $action == 'add_feedback')
+		{
+			if(check_form_key('mcp_notes'))
 			{
 				add_log('admin', 'LOG_USER_FEEDBACK', $userrow['username']);
 				add_log('mod', 0, 0, 'LOG_USER_FEEDBACK', $userrow['username']);
 
 				add_log('user', $user_id, 'LOG_USER_GENERAL', $usernote);
-
+				$msg = $user->lang['USER_FEEDBACK_ADDED'];
+			}
+			else
+			{
+				$msg = $user->lang['FORM_INVALID'];
+			}
 			$redirect = $this->u_action;
 			meta_refresh(3, $redirect);
 
-			trigger_error($user->lang['USER_FEEDBACK_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $redirect . '">', '</a>'));
+			trigger_error($msg .  '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $redirect . '">', '</a>'));
 		}
 
 		// Generate the appropriate user information for the user we are looking at

phpBB/includes/mcp/mcp_post.php

@@ -24,6 +24,8 @@ function mcp_post_details($id, $mode, $action)
 	// Get post data
 	$post_info = get_post_data(array($post_id), false, true);
 
+	add_form_key('mcp_post_details');
+
 	if (!sizeof($post_info))
 	{
 		trigger_error('POST_NOT_EXIST');
@@ -81,9 +83,16 @@ function mcp_post_details($id, $mode, $action)
 			}
 
 			if ($auth->acl_get('m_chgposter', $post_info['forum_id']))
+			{
+				if (check_form_key('mcp_post_details'))
 				{
 					change_poster($post_info, $row);
 				}
+				else
+				{
+					trigger_error('FORM_INVALID');
+				}
+			}
 
 		break;
 	}

phpBB/includes/mcp/mcp_warn.php

@@ -37,6 +37,8 @@ class mcp_warn
 
 		$this->page_title = 'MCP_WARN';
 
+		add_form_key('mcp_warn');
+
 		switch ($mode)
 		{
 			case 'front':
@@ -240,9 +242,16 @@ class mcp_warn
 		}
 
 		if ($warning && $action == 'add_warning')
+		{
+			if (check_form_key('mcp_warn'))
 			{
 				add_warning($user_row, $warning, $notify, $post_id);
-
+				$msg = $user->lang['USER_WARNING_ADDED'];
+			}
+			else
+			{
+				$msg = $user->lang['FORM_INVALID'];
+			}
 			$redirect = append_sid("{$phpbb_root_path}mcp.$phpEx", "i=notes&mode=user_notes&u=$user_id");
 			meta_refresh(2, $redirect);
 			trigger_error($user->lang['USER_WARNING_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $redirect . '">', '</a>'));
@@ -335,12 +344,19 @@ class mcp_warn
 		}
 
 		if ($warning && $action == 'add_warning')
+		{
+			if(check_form_key('mcp_warn'))
 			{
 				add_warning($user_row, $warning, $notify);
-
+				$msg = $user->lang['USER_WARNING_ADDED'];
+			}
+			else
+			{
+				$msg = $user->lang['FORM_INVALID'];
+			}
 			$redirect = append_sid("{$phpbb_root_path}mcp.$phpEx", "i=notes&amp;mode=user_notes&amp;u=$user_id");
 			meta_refresh(2, $redirect);
-			trigger_error($user->lang['USER_WARNING_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $redirect . '">', '</a>'));
+			trigger_error($msg . '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $redirect . '">', '</a>'));
 		}
 
 		// Generate the appropriate user information for the user we are looking at

phpBB/includes/session.php

@@ -641,6 +641,24 @@ class session
 			$this->set_cookie('sid', $this->session_id, $cookie_expire);
 
 			unset($cookie_expire);
+			
+			$sql = 'SELECT COUNT(session_id) AS sessions
+					FROM ' . SESSIONS_TABLE . '
+					WHERE session_user_id = ' . (int) $this->data['user_id'] . ' 
+					AND session_time >= ' . ($this->time_now - $config['form_token_lifetime']);
+			$result = $db->sql_query($sql);
+			$row = $db->sql_fetchrow($result);
+			$db->sql_freeresult($result);
+
+			if ((int) $row['sessions'] <= 1 || empty($this->data['user_form_salt']))
+			{
+				$this->data['user_form_salt'] = unique_id();
+				// Update the form key
+				$sql = 'UPDATE ' . USERS_TABLE . '
+					SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\'
+					WHERE user_id = ' . (int) $this->data['user_id'];
+				$db->sql_query($sql);
+			}
 		}
 		else
 		{

phpBB/includes/ucp/ucp_groups.php

@@ -393,6 +393,7 @@ class ucp_groups
 				$this->page_title = 'UCP_USERGROUPS_MANAGE';
 				$action		= (isset($_POST['addusers'])) ? 'addusers' : request_var('action', '');
 				$group_id	= request_var('g', 0);
+				add_form_key('ucp_groups');
 
 				if ($group_id)
 				{
@@ -552,6 +553,11 @@ class ucp_groups
 								}
 							}
 
+							if (!check_form_key('ucp_groups'))
+							{
+								$error[] = $user->lang['FORM_INVALID'];
+							}
+
 							if (!sizeof($error))
 							{
 								// Only set the rank, colour, etc. if it's changed or if we're adding a new

phpBB/includes/ucp/ucp_main.php

@@ -194,12 +194,17 @@ class ucp_main
 
 				$user->add_lang('viewforum');
 
+				add_form_key('ucp_front_subscribed');
+
 				$unwatch = (isset($_POST['unwatch'])) ? true : false;
 
 				if ($unwatch)
+				{
+					if(check_form_key('ucp_front_subscribed'))
 					{
 						$forums = array_keys(request_var('f', array(0 => 0)));
 						$topics = array_keys(request_var('t', array(0 => 0)));
+						$msg = '';
 
 						if (sizeof($forums) || sizeof($topics))
 						{
@@ -223,13 +228,18 @@ class ucp_main
 
 								$l_unwatch .= '_TOPICS';
 							}
+							$msg = $user->lang['UNWATCHED' . $l_unwatch];
 
-						$message = $user->lang['UNWATCHED' . $l_unwatch] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&amp;mode=subscribed") . '">', '</a>');
-
+						}
+					}
+					else
+					{
+						$msg = $user->lang['FORM_INVALID'];
+					}
+					$message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&amp;mode=subscribed") . '">', '</a>');
 					meta_refresh(3, append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&amp;mode=subscribed"));
 					trigger_error($message);
 				}
-				}
 
 				$forbidden_forums = array();
 
@@ -418,8 +428,11 @@ class ucp_main
 
 				$s_hidden_fields = ($edit) ? '<input type="hidden" name="edit" value="' . $draft_id . '" />' : '';
 				$draft_subject = $draft_message = '';
+				add_form_key('ucp_draft');
 
 				if ($delete)
+				{
+					if (check_form_key('ucp_draft'))
 					{
 						$drafts = array_keys(request_var('d', array(0 => 0)));
 
@@ -429,21 +442,25 @@ class ucp_main
 								WHERE ' . $db->sql_in_set('draft_id', $drafts) . '
 									AND user_id = ' . $user->data['user_id'];
 							$db->sql_query($sql);
-
-						$message = $user->lang['DRAFTS_DELETED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>');
-
+						}
+						$msg = $user->lang['DRAFTS_DELETED'];
+						unset($drafts);
+					}
+					else
+					{
+						$msg = $user->lang['FORM_INVALID'];
+					}
+					$message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>');
 					meta_refresh(3, $this->u_action);
 					trigger_error($message);
 				}
 
-					unset($drafts);
-				}
-
 				if ($submit && $edit)
 				{
 					$draft_subject = utf8_normalize_nfc(request_var('subject', '', true));
 					$draft_message = utf8_normalize_nfc(request_var('message', '', true));
-					
+					if (check_form_key('ucp_draft'))
+					{
 						if ($draft_message && $draft_subject)
 						{
 							$draft_row = array(
@@ -467,6 +484,11 @@ class ucp_main
 							$template->assign_var('ERROR', ($draft_message == '') ? $user->lang['EMPTY_DRAFT'] : (($draft_subject == '') ? $user->lang['EMPTY_DRAFT_TITLE'] : ''));
 						}
 					}
+					else
+					{
+						$template->assign_var('ERROR', $user->lang['FORM_INVALID']);
+					}
+				}
 
 				if (!$pm_drafts)
 				{

phpBB/includes/ucp/ucp_pm_compose.php

@@ -25,6 +25,7 @@ function compose_pm($id, $mode, $action)
 	{
 		$action = 'post';
 	}
+	add_form_key('ucp_pm_compose');
 
 	// Grab only parameters needed here
 	$to_user_id		= request_var('u', 0);
@@ -532,6 +533,10 @@ function compose_pm($id, $mode, $action)
 
 	if ($submit || $preview || $refresh)
 	{
+		if (!check_form_key('ucp_pm_compose'))
+		{
+			$error[] = $user->lang['FORM_INVALID'];
+		}
 		$subject = utf8_normalize_nfc(request_var('subject', '', true));
 		$message_parser->message = utf8_normalize_nfc(request_var('message', '', true));
 

phpBB/includes/ucp/ucp_pm_options.php

@@ -17,9 +17,11 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 
 	$redirect_url = append_sid("{$phpbb_root_path}ucp.$phpEx", "i=pm&mode=options");
 
+	add_form_key('ucp_pm_options');
 	// Change "full folder" setting - what to do if folder is full
 	if (isset($_POST['fullfolder']))
 	{
+		check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url);
 		$full_action = request_var('full_action', 0);
 
 		$set_folder_id = 0;
@@ -59,8 +61,11 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 	
 	// Add Folder
 	if (isset($_POST['addfolder']))
+	{
+		if (check_form_key('ucp_pm_options'))
 		{
 			$folder_name = utf8_normalize_nfc(request_var('foldername', '', true));
+			$msg = '';
 
 			if ($folder_name)
 			{
@@ -94,15 +99,22 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 					'folder_name'	=> $folder_name)
 				);
 				$db->sql_query($sql);
-
-			$message = $user->lang['FOLDER_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>');
+				$msg = $user->lang['FOLDER_ADDED'];
+			}
+		}
+		else
+		{
+			$msg = $user->lang['FORM_INVALID'];
+		}
+		$message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>');
 		meta_refresh(3, $redirect_url);
 		trigger_error($message);
 	}
-	}
 
 	// Rename folder
 	if (isset($_POST['rename_folder']))
+	{
+		if (check_form_key('ucp_pm_options'))
 		{
 			$new_folder_name = utf8_normalize_nfc(request_var('new_folder_name', '', true));
 			$rename_folder_id= request_var('rename_folder_id', 0);
@@ -131,8 +143,13 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 				WHERE folder_id = $rename_folder_id
 					AND user_id = {$user->data['user_id']}";
 			$db->sql_query($sql);
-
-		$message = $user->lang['FOLDER_RENAMED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>');
+			$msg = $user->lang['FOLDER_RENAMED'];
+		}
+		else
+		{
+			$msg = $user->lang['FORM_INVALID'];
+		}
+		$message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>');
 		meta_refresh(3, $redirect_url);
 		trigger_error($message);
 	}
@@ -250,6 +267,8 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 
 	// Add Rule
 	if (isset($_POST['add_rule']))
+	{
+		if(check_form_key('ucp_pm_options'))
 		{
 			$check_option	= request_var('check_option', 0);
 			$rule_option	= request_var('rule_option', 0);
@@ -304,7 +323,13 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 				WHERE user_id = ' . $user->data['user_id'];
 			$db->sql_query($sql);
 
-		$message = $user->lang['RULE_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>');
+			$msg = $user->lang['RULE_ADDED'];
+		}
+		else
+		{
+			$msg = $user->lang['FORM_INVALID'];
+		}
+		$message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>');
 		meta_refresh(3, $redirect_url);
 		trigger_error($message);
 	}

phpBB/includes/ucp/ucp_prefs.php

@@ -28,7 +28,7 @@ class ucp_prefs
 		switch ($mode)
 		{
 			case 'personal':
-
+				add_form_key('ucp_prefs_personal');
 				$data = array(
 					'notifymethod'	=> request_var('notifymethod', $user->data['user_notify_type']),
 					'dateformat'	=> request_var('dateformat', $user->data['user_dateformat'], true),
@@ -55,6 +55,11 @@ class ucp_prefs
 						'tz'			=> array('num', false, -14, 14),
 					));
 
+					if (!check_form_key('ucp_prefs_personal'))
+					{
+						$error[] = 'FORM_INVALID';
+					}
+
 					if (!sizeof($error))
 					{
 						$user->optionset('popuppm', $data['popuppm']);
@@ -140,6 +145,8 @@ class ucp_prefs
 
 			case 'view':
 
+				add_form_key('ucp_prefs_view');
+
 				$data = array(
 					'topic_sk'		=> request_var('topic_sk', (!empty($user->data['user_topic_sortby_type'])) ? $user->data['user_topic_sortby_type'] : 't'),
 					'topic_sd'		=> request_var('topic_sd', (!empty($user->data['user_topic_sortby_dir'])) ? $user->data['user_topic_sortby_dir'] : 'd'),
@@ -166,6 +173,11 @@ class ucp_prefs
 						'post_sd'	=> array('string', false, 1, 1),
 					));
 
+					if (!check_form_key('ucp_prefs_view'))
+					{
+						$error[] = 'FORM_INVALID';
+					}
+
 					if (!sizeof($error))
 					{
 						$user->optionset('viewimg', $data['images']);
@@ -276,8 +288,11 @@ class ucp_prefs
 					'sig'		=> request_var('sig', $user->optionget('attachsig')),
 					'notify'	=> request_var('notify', $user->data['user_notify']),
 				);
+				add_form_key('ucp_prefs_post');
 
 				if ($submit)
+				{
+					if (check_form_key('ucp_prefs_post'))
 					{
 						$user->optionset('bbcode', $data['bbcode']);
 						$user->optionset('smilies', $data['smilies']);
@@ -293,8 +308,14 @@ class ucp_prefs
 							WHERE user_id = ' . $user->data['user_id'];
 						$db->sql_query($sql);
 
+						$msg = $user->lang['PREFERENCES_UPDATED'];
+					}
+					else
+					{
+						$msg = $user->lang['FORM_INVALID'];
+					}
 					meta_refresh(3, $this->u_action);
-					$message = $user->lang['PREFERENCES_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>');
+					$message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>');
 					trigger_error($message);
 				}
 

phpBB/includes/ucp/ucp_profile.php

@@ -44,6 +44,8 @@ class ucp_profile
 					'password_confirm'	=> request_var('password_confirm', '', true),
 				);
 
+				add_form_key('ucp_reg_details');
+
 				if ($submit)
 				{
 					// Do not check cur_password, it is the old one.
@@ -89,6 +91,11 @@ class ucp_profile
 						$error[] = 'NEW_EMAIL_ERROR';
 					}
 
+					if (!check_form_key('ucp_reg_details'))
+					{
+						$error[] = 'FORM_INVALID';
+					}
+
 					if (!sizeof($error))
 					{
 						$sql_ary = array(
@@ -282,6 +289,8 @@ class ucp_profile
 					$data['bday_year'] = request_var('bday_year', $data['bday_year']);
 				}
 
+				add_form_key('ucp_profile_info');
+
 				if ($submit)
 				{
 					$validate_array = array(
@@ -321,6 +330,11 @@ class ucp_profile
 						$error = array_merge($error, $cp_error);
 					}
 
+					if (!check_form_key('ucp_profile_info'))
+					{
+						$error[] = 'FORM_INVALID';
+					}
+
 					if (!sizeof($error))
 					{
 						$sql_ary = array(
@@ -446,6 +460,8 @@ class ucp_profile
 
 				$signature		= utf8_normalize_nfc(request_var('signature', (string) $user->data['user_sig'], true));
 
+				add_form_key('ucp_sig');
+
 				if ($submit || $preview)
 				{
 					include($phpbb_root_path . 'includes/message_parser.' . $phpEx);
@@ -462,6 +478,11 @@ class ucp_profile
 							$error[] = implode('<br />', $message_parser->warn_msg);
 						}
 
+						if (!check_form_key('ucp_sig'))
+						{
+							$error[] = 'FORM_INVALID';
+						}
+
 						if (!sizeof($error) && $submit)
 						{
 							$sql_ary = array(
@@ -533,7 +554,11 @@ class ucp_profile
 
 				$can_upload = ($config['allow_avatar_upload'] && file_exists($phpbb_root_path . $config['avatar_path']) && @is_writable($phpbb_root_path . $config['avatar_path']) && $auth->acl_get('u_chgavatar') && (@ini_get('file_uploads') || strtolower(@ini_get('file_uploads')) == 'on')) ? true : false;
 
+				add_form_key('ucp_avatar');
+
 				if ($submit)
+				{
+					if (check_form_key('ucp_avatar'))
 					{
 						if (avatar_process_user($error))
 						{
@@ -541,7 +566,11 @@ class ucp_profile
 							$message = $user->lang['PROFILE_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>');
 							trigger_error($message);
 						}
-
+					}
+					else
+					{
+						$error[] = 'FORM_INVALID';
+					}
 					// Replace "error" strings with their real, localised form
 					$error = preg_replace('#^([A-Z_]+)$#e', "(!empty(\$user->lang['\\1'])) ? \$user->lang['\\1'] : '\\1'", $error);
 				}

phpBB/includes/ucp/ucp_register.php

@@ -36,6 +36,16 @@ class ucp_register
 		$change_lang	= request_var('change_lang', '');
 		$user_lang		= request_var('lang', $user->lang_name);
 
+		add_form_key('ucp_register');
+
+		// not so fast, buddy
+		if (($submit && !check_form_key('ucp_register', false, '', false, 5))
+			|| (!$submit && !check_form_key('ucp_register', false, '', false, 1)))
+		{
+			$agreed = false;
+		}
+
+
 		if ($change_lang || $user_lang != $config['default_lang'])
 		{
 			$use_lang = ($change_lang) ? basename($change_lang) : basename($user_lang);
@@ -122,6 +132,7 @@ class ucp_register
 			return;
 		}
 
+
 		// Try to manually determine the timezone and adjust the dst if the server date/time complies with the default setting +/- 1
 		$timezone = date('Z') / 3600;
 		$is_dst = date('I');

phpBB/includes/ucp/ucp_resend.php

@@ -26,8 +26,15 @@ class ucp_resend
 		$email		= strtolower(request_var('email', ''));
 		$submit		= (isset($_POST['submit'])) ? true : false;
 
+		add_form_key('ucp_resend');
+
 		if ($submit)
 		{
+			if (!check_form_key('ucp_resend'))
+			{
+				trigger_error('FORM_INVALID');
+			}
+
 			$sql = 'SELECT user_id, group_id, username, user_email, user_type, user_lang, user_actkey, user_inactive_reason
 				FROM ' . USERS_TABLE . "
 				WHERE user_email = '" . $db->sql_escape($email) . "'

phpBB/install/database_update.php

@@ -424,6 +424,15 @@ $database_update_info = array(
 			),
 		),
 	),
+	// Changes from 3.0.RC5 to the next version
+	'3.0.RC5'			=> array(
+		// Add the following columns
+		'add_columns'		=> array(
+			USER_TABLE	=> array(
+				'user_form_salt'	=> array('VCHAR_UNI:32', ''),
+			),
+		),
+	),
 );
 
 // Determine mapping database type
@@ -1510,6 +1519,9 @@ if (version_compare($current_version, '3.0.RC5', '<='))
 		WHERE bot_agent = '" . $db->sql_escape('Mediapartners-Google/') . "'";
 	_sql($sql, $errored, $error_ary);
 
+	set_config('form_token_lifetime', '7200');
+	set_config('form_token_mintime', '0');
+
 	$no_updates = false;
 }
 

phpBB/install/schemas/firebird_schema.sql

@@ -1354,7 +1354,8 @@ CREATE TABLE phpbb_users (
 	user_occ BLOB SUB_TYPE TEXT CHARACTER SET UTF8 DEFAULT '' NOT NULL,
 	user_interests BLOB SUB_TYPE TEXT CHARACTER SET UTF8 DEFAULT '' NOT NULL,
 	user_actkey VARCHAR(32) CHARACTER SET NONE DEFAULT '' NOT NULL,
-	user_newpasswd VARCHAR(32) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE
+	user_newpasswd VARCHAR(32) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
+	user_form_salt VARCHAR(32) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE
 );;
 
 ALTER TABLE phpbb_users ADD PRIMARY KEY (user_id);;

phpBB/install/schemas/mssql_schema.sql

@@ -1621,7 +1621,8 @@ CREATE TABLE [phpbb_users] (
 	[user_occ] [varchar] (4000) DEFAULT ('') NOT NULL ,
 	[user_interests] [varchar] (4000) DEFAULT ('') NOT NULL ,
 	[user_actkey] [varchar] (32) DEFAULT ('') NOT NULL ,
-	[user_newpasswd] [varchar] (32) DEFAULT ('') NOT NULL 
+	[user_newpasswd] [varchar] (32) DEFAULT ('') NOT NULL ,
+	[user_form_salt] [varchar] (32) DEFAULT ('') NOT NULL 
 ) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]
 GO
 

phpBB/install/schemas/mysql_40_schema.sql

@@ -955,6 +955,7 @@ CREATE TABLE phpbb_users (
 	user_interests blob NOT NULL,
 	user_actkey varbinary(32) DEFAULT '' NOT NULL,
 	user_newpasswd varbinary(96) DEFAULT '' NOT NULL,
+	user_form_salt varbinary(96) DEFAULT '' NOT NULL,
 	PRIMARY KEY (user_id),
 	KEY user_birthday (user_birthday),
 	KEY user_email_hash (user_email_hash),

phpBB/install/schemas/mysql_41_schema.sql

@@ -955,6 +955,7 @@ CREATE TABLE phpbb_users (
 	user_interests text NOT NULL,
 	user_actkey varchar(32) DEFAULT '' NOT NULL,
 	user_newpasswd varchar(32) DEFAULT '' NOT NULL,
+	user_form_salt varchar(32) DEFAULT '' NOT NULL,
 	PRIMARY KEY (user_id),
 	KEY user_birthday (user_birthday),
 	KEY user_email_hash (user_email_hash),

phpBB/install/schemas/oracle_schema.sql

@@ -1772,6 +1772,7 @@ CREATE TABLE phpbb_users (
 	user_interests clob DEFAULT '' ,
 	user_actkey varchar2(32) DEFAULT '' ,
 	user_newpasswd varchar2(96) DEFAULT '' ,
+	user_form_salt varchar2(96) DEFAULT '' ,
 	CONSTRAINT pk_phpbb_users PRIMARY KEY (user_id),
 	CONSTRAINT u_phpbb_username_clean UNIQUE (username_clean)
 )

phpBB/install/schemas/postgres_schema.sql

@@ -1218,6 +1218,7 @@ CREATE TABLE phpbb_users (
 	user_interests varchar(4000) DEFAULT '' NOT NULL,
 	user_actkey varchar(32) DEFAULT '' NOT NULL,
 	user_newpasswd varchar(32) DEFAULT '' NOT NULL,
+	user_form_salt varchar(32) DEFAULT '' NOT NULL,
 	PRIMARY KEY (user_id)
 );
 

phpBB/install/schemas/schema_data.sql

@@ -88,6 +88,8 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_pm_icons',
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_post_confirm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('flood_interval', '15');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('force_server_vars', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('form_token_lifetime', '7200');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('form_token_mintime', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('forward_pm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('forwarded_for_check', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('full_folder_action', '2');

phpBB/install/schemas/sqlite_schema.sql

@@ -924,7 +924,8 @@ CREATE TABLE phpbb_users (
 	user_occ text(65535) NOT NULL DEFAULT '',
 	user_interests text(65535) NOT NULL DEFAULT '',
 	user_actkey varchar(32) NOT NULL DEFAULT '',
-	user_newpasswd varchar(32) NOT NULL DEFAULT ''
+	user_newpasswd varchar(32) NOT NULL DEFAULT '',
+	user_form_salt varchar(32) NOT NULL DEFAULT ''
 );
 
 CREATE INDEX phpbb_users_user_birthday ON phpbb_users (user_birthday);

phpBB/language/en/acp/board.php

@@ -364,6 +364,8 @@ $lang = array_merge($lang, array(
 	'EMAIL_CHECK_MX_EXPLAIN'		=> 'If enabled, the e-mail domain provided on registration and profile changes is checked for a valid MX record.',
 	'FORCE_PASS_CHANGE'				=> 'Force password change',
 	'FORCE_PASS_CHANGE_EXPLAIN'		=> 'Require user to change their password after a set number of days. Setting this value to 0 disables this behaviour.',
+	'FORM_TIME_MAX'					=> 'Maximum time to submit forms',
+	'FORM_TIME_MAX_EXPLAIN'			=> 'The time a user has to submit a form. Use -1 to disable. Note that a form might become invalid if the session expires, regardless of this setting.',
 	'FORWARDED_FOR_VALID'			=> 'Validated <var>X_FORWARDED_FOR</var> header',
 	'FORWARDED_FOR_VALID_EXPLAIN'	=> 'Sessions will only be continued if the sent <var>X_FORWARDED_FOR</var> header equals the one sent with the previous request. Bans will be checked against IPs in <var>X_FORWARDED_FOR</var> too.',
 	'IP_VALID'						=> 'Session IP validation',

phpBB/language/en/common.php

@@ -178,6 +178,7 @@ $lang = array_merge($lang, array(
 	'FIND_USERNAME'			=> 'Find a member',
 	'FOLDER'				=> 'Folder',
 	'FORGOT_PASS'			=> 'I forgot my password',
+	'FORM_INVALID'			=> 'The submitted form was invalid. Try submitting again.',
 	'FORUM'					=> 'Forum',
 	'FORUMS'				=> 'Forums',
 	'FORUMS_MARKED'			=> 'All forums have been marked read.',

phpBB/memberlist.php

@@ -268,6 +268,7 @@ switch ($mode)
 	break;
 
 	case 'contact':
+
 		$page_title = $user->lang['IM_USER'];
 		$template_html = 'memberlist_im.html';
 
@@ -327,8 +328,13 @@ switch ($mode)
 		switch ($action)
 		{
 			case 'jabber':
+				add_form_key('memberlist_messaging');
+
 				if ($submit && @extension_loaded('xml') && $config['jab_enable'])
 				{
+					if (check_form_key('memberlist_messaging'))
+					{
+
 						include_once($phpbb_root_path . 'includes/functions_messenger.' . $phpEx);
 
 						$subject = sprintf($user->lang['IM_JABBER_SUBJECT'], $user->data['username'], $config['server_name']);
@@ -358,6 +364,11 @@ switch ($mode)
 
 						$s_select = 'S_SENT_JABBER';
 					}
+					else
+					{
+						trigger_error('FORM_INVALID');
+					}
+				}
 			break;
 		}
 
@@ -607,6 +618,8 @@ switch ($mode)
 		$page_title = $user->lang['SEND_EMAIL'];
 		$template_html = 'memberlist_email.html';
 
+		add_form_key('memberlist_email');
+
 		if (!$config['email_enable'])
 		{
 			trigger_error('EMAIL_DISABLED');
@@ -713,6 +726,10 @@ switch ($mode)
 
 		if ($submit)
 		{
+			if (!check_form_key('memberlist_email'))
+			{
+				$error[] = 'FORM_INVALID';
+			}
 			if ($user_id)
 			{
 				if (!$subject)
@@ -900,6 +917,7 @@ switch ($mode)
 		// then only admins can make use of this (for ACP functionality)
 		$sql_select = $sql_where_data = $sql_from = $sql_where = $order_by = '';
 
+
 		$form			= request_var('form', '');
 		$field			= request_var('field', '');
 		$select_single 	= request_var('select_single', false);
@@ -907,7 +925,6 @@ switch ($mode)
 		// We validate form and field here, only id/class allowed
 		$form = (!preg_match('/^[a-z0-9_-]+$/i', $form)) ? '' : $form;
 		$field = (!preg_match('/^[a-z0-9_-]+$/i', $field)) ? '' : $field;
-
 		if ($mode == 'searchuser' && ($config['load_search'] || $auth->acl_get('a_')))
 		{
 			$username	= request_var('username', '', true);

phpBB/posting.php

@@ -45,6 +45,7 @@ $mode		= ($delete && !$preview && !$refresh && $submit) ? 'delete' : request_var
 $error = $post_data = array();
 $current_time = time();
 
+
 // Was cancel pressed? If so then redirect to the appropriate page
 if ($cancel || ($current_time - $lastclick < 2 && $submit))
 {
@@ -611,7 +612,7 @@ if ($submit || $preview || $refresh)
 	if ($poll_delete && $mode == 'edit' && sizeof($post_data['poll_options']) && 
 		((!$post_data['poll_last_vote'] && $post_data['poster_id'] == $user->data['user_id'] && $auth->acl_get('f_delete', $forum_id)) || $auth->acl_get('m_delete', $forum_id)))
 	{
-		if ($submit)
+		if ($submit && 	check_form_key('posting'))
 		{
 			$sql = 'DELETE FROM ' . POLL_OPTIONS_TABLE . "
 				WHERE topic_id = $topic_id";
@@ -762,6 +763,12 @@ if ($submit || $preview || $refresh)
 		}
 	}
 
+	// check form
+	if (!check_form_key('posting', false, '', false, 2))
+	{
+		$error[] = $user->lang['FORM_INVALID'];
+	}
+
 	// Parse subject
 	if (!$preview && !$refresh && !utf8_clean_string($post_data['post_subject']) && ($mode == 'post' || ($mode == 'edit' && $post_data['topic_first_post_id'] == $post_id)))
 	{
@@ -1262,6 +1269,8 @@ if ($solved_captcha !== false)
 }
 
 $form_enctype = (@ini_get('file_uploads') == '0' || strtolower(@ini_get('file_uploads')) == 'off' || @ini_get('file_uploads') == '0' || !$config['allow_attachments'] || !$auth->acl_get('u_attach') || !$auth->acl_get('f_attach', $forum_id)) ? '' : ' enctype="multipart/form-data"';
+add_form_key('posting');
+
 
 // Start assigning vars for main posting page ...
 $template->assign_vars(array(

phpBB/styles/prosilver/template/confirm_body.html

@@ -1,6 +1,7 @@
 <!-- INCLUDE overall_header.html -->
 
 <form id="confirm" action="{S_CONFIRM_ACTION}" method="post">
+{S_FORM_TOKEN}
 <div class="panel">
 	<div class="inner"><span class="corners-top"><span></span></span>
 

phpBB/styles/prosilver/template/index_body.html

@@ -16,6 +16,7 @@
 
 <!-- IF not S_USER_LOGGED_IN and not S_IS_BOT -->
 	<form method="post" action="{S_LOGIN_ACTION}" class="headerspace">
+	{S_FORM_TOKEN}
 	<h3><a href="{U_LOGIN_LOGOUT}">{L_LOGIN_LOGOUT}</a>&nbsp; &bull; &nbsp;<a href="{U_REGISTER}">{L_REGISTER}</a></h3>
 		<fieldset class="quick-login">
 			<label for="username">{L_USERNAME}:</label>&nbsp;<input type="text" name="username" id="username" size="10" class="inputbox" title="{L_USERNAME}" />  

phpBB/styles/prosilver/template/login_body.html

@@ -1,6 +1,7 @@
 <!-- INCLUDE overall_header.html -->
 
 <form action="{S_LOGIN_ACTION}" method="post" id="login">
+{S_FORM_TOKEN}
 <div class="panel">
 	<div class="inner"><span class="corners-top"><span></span></span>
 

phpBB/styles/prosilver/template/login_forum.html

@@ -3,7 +3,7 @@
 <h2 class="solo">{L_LOGIN} {FORUM_NAME}</h2>
 
 <form id="login_forum" method="post" action="{S_LOGIN_ACTION}">
-
+{S_FORM_TOKEN}
 <div class="panel">
 	<div class="inner"><span class="corners-top"><span></span></span>
 

phpBB/styles/prosilver/template/mcp_approve.html

@@ -1,7 +1,7 @@
 <!-- INCLUDE overall_header.html -->
 
 <form id="confirm" action="{S_CONFIRM_ACTION}" method="post">
-
+{S_FORM_TOKEN}
 <div class="panel">
 	<div class="inner"><span class="corners-top"><span></span></span>
 

phpBB/styles/prosilver/template/mcp_ban.html

@@ -122,7 +122,7 @@
 	</div>
 
 	<!-- ENDIF -->
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_forum.html

@@ -101,7 +101,7 @@
 	<input class="button2" type="submit" value="{L_SUBMIT}" />
 	<div><a href="#" onclick="marklist('mcp', 'topic_id_list', true); return false;">{L_MARK_ALL}</a> :: <a href="#" onclick="marklist('mcp', 'topic_id_list', false); return false;">{L_UNMARK_ALL}</a></div>
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_front.html

@@ -55,7 +55,7 @@
 		<div><a href="#" onclick="marklist('mcp_queue', 'post_id_list', true); return false;">{L_MARK_ALL}</a> :: <a href="#" onclick="marklist('mcp_queue', 'post_id_list', false); return false;">{L_UNMARK_ALL}</a></div>
 	</fieldset>
 	<!-- ENDIF -->
-
+	{S_FORM_TOKEN}
 	</form>
 <!-- ENDIF -->
 

phpBB/styles/prosilver/template/mcp_logs.html

@@ -79,6 +79,7 @@
 			<span class="corners-bottom"><span></span></span></div>
 		</div>
 	<!-- ENDIF -->
+	{S_FORM_TOKEN}
 </form>
 
 <br />

phpBB/styles/prosilver/template/mcp_move.html

@@ -30,7 +30,7 @@
 
 	<span class="corners-bottom"><span></span></span></div>
 </div>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE overall_footer.html -->

phpBB/styles/prosilver/template/mcp_notes_front.html

@@ -22,7 +22,7 @@
 	<input type="reset" value="{L_RESET}" name="reset" class="button2" />&nbsp; 
 	<input type="submit" name="submituser" value="{L_SUBMIT}" class="button1" />
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_notes_user.html

@@ -116,7 +116,7 @@
 	<div><a href="#" onclick="marklist('mcp', 'marknote', true); return false;">{L_MARK_ALL}</a> &bull; <a href="#" onclick="marklist('mcp', 'marknote', false); return false;">{L_UNMARK_ALL}</a></div>		
 </fieldset>
 <!-- ENDIF -->
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_post.html

@@ -33,7 +33,7 @@
 		<input class="button2" type="submit" value="{L_DELETE_REPORT}" name="action[delete]" />
 		<input type="hidden" name="report_id_list[]" value="{REPORT_ID}" />
 	</fieldset>
-
+	{S_FORM_TOKEN}
 	</form>
 
 <!-- ELSE -->
@@ -61,7 +61,7 @@
 				<input class="button2" type="submit" value="{L_DISAPPROVE}" name="action[disapprove]" />
 				<input type="hidden" name="post_id_list[]" value="{POST_ID}" />
 			</p>
-
+		{S_FORM_TOKEN}
 			</form>
 		<!-- ENDIF -->
 
@@ -122,7 +122,7 @@
 				</dd>
 			</dl>
 			</fieldset>
-
+			{S_FORM_TOKEN}
 			</form>
 		<!-- ENDIF -->
 	
@@ -139,7 +139,7 @@
 				</dd>
 			</dl>
 			</fieldset>
-
+			{S_FORM_TOKEN}
 			</form>
 		<!-- ENDIF -->
 
@@ -197,7 +197,7 @@
 				<input class="button1" type="submit" name="action[add_feedback]" value="{L_SUBMIT}" />&nbsp; 
 				<input class="button2" type="reset" value="{L_RESET}" />
 			</fieldset>
-
+			{S_FORM_TOKEN}
 			</form>
 
 			<span class="corners-bottom"><span></span></span></div>

phpBB/styles/prosilver/template/mcp_queue.html

@@ -90,7 +90,7 @@
 		<div><a href="#" onclick="marklist('mcp', 'post_id_list', true); return false;">{L_MARK_ALL}</a> :: <a href="#" onclick="marklist('mcp', 'post_id_list', false); return false;">{L_UNMARK_ALL}</a></div>
 	</fieldset>
 <!-- ENDIF -->
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_reports.html

@@ -79,7 +79,7 @@
 		<div><a href="#" onclick="marklist('mcp', 'report_id_list', true); return false;">{L_MARK_ALL}</a> :: <a href="#" onclick="marklist('mcp', 'report_id_list', false); return false;">{L_UNMARK_ALL}</a></div>
 	</fieldset>
 <!-- ENDIF -->
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_topic.html

@@ -164,6 +164,7 @@ onload_functions.push('subPanels()');
 </fieldset>
 
 {S_HIDDEN_FIELDS}
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->

phpBB/styles/prosilver/template/mcp_viewlogs.html

@@ -38,7 +38,7 @@
 	</tr>
 <!-- END log -->
 </table>
-
+{S_FORM_TOKEN}
 </form>
 
 <table width="100%" cellspacing="2" cellpadding="2" border="0" align="center">

phpBB/styles/prosilver/template/mcp_warn_front.html

@@ -24,7 +24,7 @@
 	<input type="reset" value="{L_RESET}" name="reset" class="button2" />&nbsp; 
 	<input type="submit" name="submituser" value="{L_SUBMIT}" class="button1" />
 </fieldset>
-
+{S_FORM_TOKEN}
 </form>
 
 <div class="panel">

phpBB/styles/prosilver/template/mcp_warn_list.html

@@ -60,7 +60,7 @@
 </div>
 
 
-
+{S_FORM_TOKEN}
 </form>
 
 <!-- INCLUDE mcp_footer.html -->