Merge pull request #6248 from marc1706/ticket/16207

[ticket/16207] Require cookies for sessions

phpBB/includes/acp/acp_prune.php

@@ -327,7 +327,7 @@ class acp_prune
 						'USERNAME'			=> $usernames[$user_id],
 						'USER_ID'           => $user_id,
 						'U_PROFILE'			=> get_username_string('profile', $user_id, $usernames[$user_id]),
-						'U_USER_ADMIN'		=> ($auth->acl_get('a_user')) ? append_sid("{$phpbb_admin_path}index.$phpEx", 'i=users&mode=overview&u=' . $user_id, true, $user->session_id) : '',
+						'U_USER_ADMIN'		=> ($auth->acl_get('a_user')) ? append_sid("{$phpbb_admin_path}index.$phpEx", 'i=users&mode=overview&u=' . $user_id) : '',
 					));
 				}
 

phpBB/includes/acp/acp_users.php

@@ -1148,7 +1148,7 @@ class acp_users
 
 					'U_SHOW_IP'		=> $this->u_action . "&u=$user_id&ip=" . (($ip == 'ip') ? 'hostname' : 'ip'),
 					'U_WHOIS'		=> $this->u_action . "&action=whois&user_ip={$user_row['user_ip']}",
-					'U_MCP_QUEUE'	=> ($auth->acl_getf_global('m_approve')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=queue', true, $user->session_id) : '',
+					'U_MCP_QUEUE'	=> ($auth->acl_getf_global('m_approve')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=queue') : '',
 					'U_SEARCH_USER'	=> ($config['load_search'] && $auth->acl_get('u_search')) ? append_sid("{$phpbb_root_path}search.$phpEx", "author_id={$user_row['user_id']}&sr=posts") : '',
 
 					'U_SWITCH_PERMISSIONS'	=> ($auth->acl_get('a_switchperm') && $user->data['user_id'] != $user_row['user_id']) ? append_sid("{$phpbb_root_path}ucp.$phpEx", "mode=switch_perm&u={$user_row['user_id']}&hash=" . generate_link_hash('switchperm')) : '',

phpBB/includes/functions.php

@@ -1460,7 +1460,7 @@ function tracking_unserialize($string, $max_depth = 3)
 * @param string $url The url the session id needs to be appended to (can have params)
 * @param mixed $params String or array of additional url parameters
 * @param bool $is_amp Is url using & (true) or & (false)
-* @param string $session_id Possibility to use a custom session id instead of the global one
+* @param string $session_id Possibility to use a custom session id instead of the global one; deprecated as of 4.0.0-a1
 * @param bool $is_route Is url generated by a route.
 *
 * @return string The corrected url.
@@ -1835,7 +1835,7 @@ function build_url($strip_vars = false)
 		$redirect = str_replace('&', '&', $redirect);
 	}
 
-	return $redirect . ((strpos($redirect, '?') === false) ? '?' : '');
+	return $redirect;
 }
 
 /**
@@ -3716,7 +3716,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 	// Generate logged in/logged out status
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
-		$u_login_logout = append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=logout', true, $user->session_id);
+		$u_login_logout = append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=logout');
 		$l_login_logout = $user->lang['LOGOUT'];
 	}
 	else
@@ -3930,7 +3930,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 		'U_REGISTER'			=> append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=register'),
 		'U_PROFILE'				=> append_sid("{$phpbb_root_path}ucp.$phpEx"),
 		'U_USER_PROFILE'		=> get_username_string('profile', $user->data['user_id'], $user->data['username'], $user->data['user_colour']),
-		'U_MODCP'				=> append_sid("{$phpbb_root_path}mcp.$phpEx", false, true, $user->session_id),
+		'U_MODCP'				=> append_sid("{$phpbb_root_path}mcp.$phpEx"),
 		'U_FAQ'					=> $controller_helper->route('phpbb_help_faq_controller'),
 		'U_SEARCH_SELF'			=> append_sid("{$phpbb_root_path}search.$phpEx", 'search_id=egosearch'),
 		'U_SEARCH_NEW'			=> append_sid("{$phpbb_root_path}search.$phpEx", 'search_id=newposts'),

phpBB/includes/functions_display.php

@@ -1689,8 +1689,8 @@ function phpbb_show_profile($data, $user_notes_enabled = false, $warn_user_enabl
 		'S_WARNINGS'	=> ($auth->acl_getf_global('m_') || $auth->acl_get('m_warn')) ? true : false,
 
 		'U_SEARCH_USER' => ($auth->acl_get('u_search')) ? append_sid("{$phpbb_root_path}search.$phpEx", "author_id=$user_id&sr=posts") : '',
-		'U_NOTES'		=> ($user_notes_enabled && $auth->acl_getf_global('m_')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=notes&mode=user_notes&u=' . $user_id, true, $user->session_id) : '',
-		'U_WARN'		=> ($warn_user_enabled && $auth->acl_get('m_warn')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=warn&mode=warn_user&u=' . $user_id, true, $user->session_id) : '',
+		'U_NOTES'		=> ($user_notes_enabled && $auth->acl_getf_global('m_')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=notes&mode=user_notes&u=' . $user_id) : '',
+		'U_WARN'		=> ($warn_user_enabled && $auth->acl_get('m_warn')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=warn&mode=warn_user&u=' . $user_id) : '',
 		'U_PM'			=> ($config['allow_privmsg'] && $auth->acl_get('u_sendpm') && $can_receive_pm) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm&mode=compose&u=' . $user_id) : '',
 		'U_EMAIL'		=> $email,
 		'U_JABBER'		=> ($data['user_jabber'] && $auth->acl_get('u_sendim')) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=contact&action=jabber&u=' . $user_id) : '',

phpBB/includes/functions_posting.php

@@ -1247,7 +1247,7 @@ function topic_review($topic_id, $forum_id, $mode = 'topic_review', $cur_post_id
 			'POST_TIME'			=> $row['post_time'],
 			'USER_ID'			=> $row['user_id'],
 			'U_MINI_POST'		=> append_sid("{$phpbb_root_path}viewtopic.$phpEx", 'p=' . $row['post_id']) . '#p' . $row['post_id'],
-			'U_MCP_DETAILS'		=> ($auth->acl_get('m_info', $forum_id)) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=main&mode=post_details&f=' . $forum_id . '&p=' . $row['post_id'], true, $user->session_id) : '',
+			'U_MCP_DETAILS'		=> ($auth->acl_get('m_info', $forum_id)) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=main&mode=post_details&f=' . $forum_id . '&p=' . $row['post_id']) : '',
 			'POSTER_QUOTE'		=> ($show_quote_button && $auth->acl_get('f_reply', $forum_id)) ? addslashes(get_username_string('username', $poster_id, $row['username'], $row['user_colour'], $row['post_username'])) : '',
 		);
 

phpBB/includes/mcp/mcp_forum.php

@@ -50,10 +50,17 @@ function mcp_forum_view($id, $mode, $action, $forum_info)
 
 	$url = append_sid("{$phpbb_root_path}mcp.$phpEx?$url_extra");
 
+	add_form_key('mcp_forum');
+
 	// Resync Topics
 	switch ($action)
 	{
 		case 'resync':
+			if (!check_form_key('mcp_forum'))
+			{
+				trigger_error('FORM_INVALID');
+			}
+
 			$topic_ids = $request->variable('topic_id_list', array(0));
 			mcp_resync_topics($topic_ids);
 		break;

phpBB/includes/mcp/mcp_topic.php

@@ -55,9 +55,16 @@ function mcp_topic_view($id, $mode, $action)
 	$submitted_id_list	= $request->variable('post_ids', array(0));
 	$checked_ids = $post_id_list = $request->variable('post_id_list', array(0));
 
+	add_form_key('mcp_topic');
+
 	// Resync Topic?
 	if ($action == 'resync')
 	{
+		if (!check_form_key('mcp_topic'))
+		{
+			trigger_error('FORM_INVALID');
+		}
+
 		if (!function_exists('mcp_resync_topics'))
 		{
 			include($phpbb_root_path . 'includes/mcp/mcp_forum.' . $phpEx);
@@ -90,7 +97,7 @@ function mcp_topic_view($id, $mode, $action)
 		$subject = $topic_info['topic_title'];
 	}
 
-	// Restore or pprove posts?
+	// Restore or approve posts?
 	if (($action == 'restore' || $action == 'approve') && $auth->acl_get('m_approve', $topic_info['forum_id']))
 	{
 		if (!class_exists('mcp_queue'))

phpBB/includes/ucp/ucp_pm_compose.php

@@ -542,7 +542,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 	$message_parser->message = ($action == 'reply') ? '' : $message_text;
 	unset($message_text);
 
-	$s_action = append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&mode=$mode&action=$action", true, $user->session_id);
+	$s_action = append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&mode=$mode&action=$action");
 	$s_action .= (($folder_id) ? "&f=$folder_id" : '') . (($msg_id) ? "&p=$msg_id" : '');
 
 	// Delete triggered ?