add csrf protection

op/op.SetExpires.php

@@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('setexpires')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

views/bootstrap/class.SetExpires.php

@@ -66,6 +66,7 @@ $(document).ready( function() {
 
 <form class="form-horizontal" action="../op/op.SetExpires.php" method="post">
 <input type="hidden" name="documentid" value="<?php print $document->getID();?>">
+	<?php echo createHiddenFieldWithKey('setexpires'); ?>
 <?php
 		$options = array();
 		$options[] = array('never', getMLText('does_not_expire'));