View Issue Details

IDProjectCategoryView StatusLast Update
0020146mantisbtplug-inspublic2015-09-30 02:55
Reportercproensa Assigned To 
PrioritylowSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version1.3.0-beta.3 
Summary0020146: print_button with security token does not work for plugin pages
Description

When using the function print_button (print_api.php)
<pre>
function print_button( $p_action_page, $p_label, array $p_args_to_post = null, $p_security_token = null )
</pre>

internally, it uses the form action page to print the token field:
<pre>
$t_form_name = explode( '.php', $p_action_page, 2 );
form_security_field( $t_form_name[0], $p_security_token );
</pre>

when using plugin_page() to get an url, the base page is plugin.php, and plugin page is specified with GET parameter.
This messes with how the print_button creates the token field

Steps To Reproduce

code used
<pre>
$t_token = form_security_token( 'my_plugin_page' );
print_button( plugin_page( 'my_plugin_page' ), 'LABEL', null, $t_token);
</pre>

output
<pre>
<form method="post" action="/path/plugin.php?page=my_plugin/my_plugin_page" class="action-button">
<fieldset>
<input type="hidden" name="/path/plugin_token" value="20150928PggAh62QRQBfpImN5xnxZDX1KvT3uhRz"/>
<input type="submit" class="button-small" value="LABEL" />
</fieldset>
</form>
</pre>

Additional Information

For this to work properly, print_button needs to know the form name used to create the token. Could be passed as an additional (optional) parameter

TagsNo tags attached.

Activities

dregad

dregad

2015-09-29 03:29

developer   ~0051548

print_button needs to know the form name used to create the token. Could be passed as an additional (optional) parameter

A possible alternative could be to define a new API function plugin_print_button()

cproensa

cproensa

2015-09-29 09:34

developer   ~0051552

A possible alternative could be to define a new API function plugin_print_button()

that makes sense.
but beware, what would happen if my plugin page has the same name as a standard page (eg: manage_user_create) ??
i guess its no big issue, but im just thinking...

however, the original issue still exists. Separating token creation, from token print in page, must carry both "token" string and "form_id" string against which is created (and validated).
if print_button is acting as a proxy to print the html, it should have both pieces of information, as it is required by "form_security_field"
"Guessing" the form name from the submit url is still wrong (although it can be worked around)

dregad

dregad

2015-09-30 02:55

developer   ~0051558

To be honest I have not thought this all the way through... You're probably right and this is a typical example of our aging API where the validation was added much later.