diff --git a/pts-core/phoromatic/pages/phoromatic_benchmark.php b/pts-core/phoromatic/pages/phoromatic_benchmark.php index 809f081c46..5c64cf711c 100644 --- a/pts-core/phoromatic/pages/phoromatic_benchmark.php +++ b/pts-core/phoromatic/pages/phoromatic_benchmark.php @@ -79,7 +79,7 @@ public static function render_page_process($PATH) if(!empty($row)) { - if(isset($_GET['remove'])) + if(isset($_GET['remove']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('DELETE FROM phoromatic_benchmark_tickets WHERE AccountID = :account_id AND TicketID = :ticket_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -87,7 +87,7 @@ public static function render_page_process($PATH) $result = $stmt->execute(); header('Location: /?benchmark'); } - else if(isset($_GET['repeat'])) + else if(isset($_GET['repeat']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_benchmark_tickets SET TicketIssueTime = :new_ticket_time, State = 1 WHERE AccountID = :account_id AND TicketID = :ticket_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -95,7 +95,7 @@ public static function render_page_process($PATH) $stmt->bindValue(':new_ticket_time', time()); $result = $stmt->execute(); } - else if(isset($_GET['disable'])) + else if(isset($_GET['disable']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_benchmark_tickets SET State = 0 WHERE AccountID = :account_id AND TicketID = :ticket_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -107,7 +107,7 @@ public static function render_page_process($PATH) $main .= '
This benchmark ticket was created on ' . date('j F Y \a\t H:i', strtotime($row['LastModifiedOn'])) . ' by ' . $row['LastModifiedBy'] . '. The ticket was last issued for testing at ' . date('j F Y \a\t H:i', $row['TicketIssueTime']) . '.'; - $main .= '
Repeat Ticket Remove Ticket' . (!isset($_GET['disable']) && $row['State'] > 0 ? ' End Ticket' : null) . '
'; + $main .= 'Repeat Ticket Remove Ticket' . (!isset($_GET['disable']) && $row['State'] > 0 ? ' End Ticket' : null) . '
'; if(!empty($row['RunTargetSystems'])) { diff --git a/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php b/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php index 9edb5fa9c5..5cbc43ade5 100644 --- a/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php +++ b/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php @@ -37,6 +37,7 @@ public static function preload($PAGE) } public static function render_page_process($PATH) { + phoromatic_quit_if_invalid_input_found(array('tp')); $test_profile = new pts_test_profile($_GET['tp']); $name = $test_profile->get_title(); $description = $test_profile->get_description(); diff --git a/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php b/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php index 6a8323ca97..5ae916aca9 100644 --- a/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php +++ b/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php @@ -36,6 +36,7 @@ public static function preload($PAGE) } public static function render_page_process($PATH) { + phoromatic_quit_if_invalid_input_found(array('ts')); $ts = $_GET['ts']; $ts_file = phoromatic_server::find_suite_file($_SESSION['AccountID'], $ts); $test_suite = new pts_test_suite($ts_file); diff --git a/pts-core/phoromatic/pages/phoromatic_schedules.php b/pts-core/phoromatic/pages/phoromatic_schedules.php index 9424a65577..333221d4b3 100644 --- a/pts-core/phoromatic/pages/phoromatic_schedules.php +++ b/pts-core/phoromatic/pages/phoromatic_schedules.php @@ -57,7 +57,7 @@ public static function render_page_process($PATH) if(!PHOROMATIC_USER_IS_VIEWER) { - if(isset($_POST['add_to_schedule_select_test'])) + if(isset($_POST['add_to_schedule_select_test']) && verify_submission_token()) { phoromatic_quit_if_invalid_input_found(array('add_to_schedule_select_test')); $name = $_POST['add_to_schedule_select_test']; @@ -89,7 +89,7 @@ public static function render_page_process($PATH) phoromatic_add_activity_stream_event('tests_for_schedule', $PATH[0], 'added'); } } - else if(isset($_POST['suite_add'])) + else if(isset($_POST['suite_add']) && verify_submission_token()) { $test_suite = phoromatic_server::find_suite_file($_SESSION['AccountID'], $_POST['suite_add']); if(is_file($test_suite)) @@ -154,7 +154,7 @@ public static function render_page_process($PATH) $row['State'] = $new_state; phoromatic_add_activity_stream_event('schedule', $PATH[0], $PATH[1]); } - else if(isset($_POST['do_manual_test_run'])) + else if(isset($_POST['do_manual_test_run']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_schedules_triggers (AccountID, ScheduleID, Trigger, TriggeredOn) VALUES (:account_id, :schedule_id, :trigger, :triggered_on)'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -164,7 +164,7 @@ public static function render_page_process($PATH) $stmt->execute(); $main .= 'This test schedule can be manually triggered to run at any time by calling ' . $trigger_url . ' where XXX is the trigger value to be used (if relevant, such as a time-stamp, Git/SVN commit number or hash, etc). There\'s also the option of sub-targeting system(s) part of this schedule. One option is appending &sub_target_this_ip if this URL is being called from one of the client test systems to only sub-target the triggered testing on that client, among other options.
'; $main .= 'If you wish to run this test schedule now, click the following button and the schedule will be run on all intended systems at their next earliest possible convenience.
'; $main .= ''; $main .= ''; } @@ -329,7 +329,7 @@ public static function render_page_process($PATH) { $main .= '