Merge pull request #2935 from nickvergessen/ticket/13052

Ticket/13052 Remove additional parameter from check_form_key()

* nickvergessen/ticket/13052:
  [ticket/13052] Use request class instead of $_POST and request_var()
  [ticket/13052] Fix appearances with multiple parameters
  [ticket/13052] Remove additional parameter from check_form_key()

phpBB/includes/functions.php

@@ -2576,26 +2576,23 @@ function add_form_key($form_name)
 }
 
 /**
-* Check the form key. Required for all altering actions not secured by confirm_box
-* @param string  $form_name The name of the form; has to match the name used in add_form_key, otherwise no restrictions apply
-* @param int $timespan The maximum acceptable age for a submitted form in seconds. Defaults to the config setting.
-* @param string $return_page The address for the return link
-* @param bool $trigger If true, the function will triger an error when encountering an invalid form
-*/
-function check_form_key($form_name, $timespan = false, $return_page = '', $trigger = false)
+ * Check the form key. Required for all altering actions not secured by confirm_box
+ *
+ * @param    string $form_name	The name of the form; has to match the name used
+ *								in add_form_key, otherwise no restrictions apply
+ * @return	bool	True, if the form key was valid, false otherwise
+ */
+function check_form_key($form_name)
 {
-	global $config, $user;
+	global $config, $request, $user;
 
-	if ($timespan === false)
-	{
-		// we enforce a minimum value of half a minute here.
-		$timespan = ($config['form_token_lifetime'] == -1) ? -1 : max(30, $config['form_token_lifetime']);
-	}
+	// we enforce a minimum value of half a minute here.
+	$timespan = ($config['form_token_lifetime'] == -1) ? -1 : max(30, $config['form_token_lifetime']);
 
-	if (isset($_POST['creation_time']) && isset($_POST['form_token']))
+	if ($request->is_set_post('creation_time') && $request->is_set_post('form_token'))
 	{
-		$creation_time	= abs(request_var('creation_time', 0));
-		$token = request_var('form_token', '');
+		$creation_time	= abs($request->variable('creation_time', 0));
+		$token = $request->variable('form_token', '');
 
 		$diff = time() - $creation_time;
 
@@ -2612,11 +2609,6 @@ function check_form_key($form_name, $timespan = false, $return_page = '', $trigg
 		}
 	}
 
-	if ($trigger)
-	{
-		trigger_error($user->lang['FORM_INVALID'] . $return_page);
-	}
-
 	return false;
 }
 

phpBB/includes/ucp/ucp_pm_options.php

@@ -32,7 +32,11 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit
 	// Change "full folder" setting - what to do if folder is full
 	if (isset($_POST['fullfolder']))
 	{
-		check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url);
+		if (!check_form_key('ucp_pm_options'))
+		{
+			trigger_error('FORM_INVALID');
+		}
+
 		$full_action = request_var('full_action', 0);
 
 		$set_folder_id = 0;