List admin actions cross site request forgery

The provided patch looks good to me.

confirm_form() could have been used as well, see Create forms in a safe way to avoid cross-site request forgeries (CSRF)

+++ b/includes/campaignmonitor_lists.admin.inc
@@ -339,6 +339,10 @@ function campaignmonitor_admin_settings_list_edit_validate($form, &$form_state)
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'delete')) {
+    return MENU_ACCESS_DENIED;
+  }

This will break the form handler (unsupported operands).

Attached patch fixes this with a slightly different approach.

I am happy to be made maintainer of this module, as well.

This will break the form handler (unsupported operands).

Good catch.

Attached patch fixes this with a slightly different approach.

I think returning MENU_ACCESS_DENIED on the page callbacks (not on drupal_get_form, where it may break) is preferred.

I've transferred the module already #2449933: Offering to maintain Campaign Monitor. @xtfer please don't publish any releases until Pere Orga signs off on the new patch.

Thanks @dddave.

@xtfer @andrechun feel free to go ahead committing patch #3 or equivalent, just let me know when you create the security release so I can make it public and update the advisory.

Cheers
Pere

Release published. Thanks!