From 036c36a7ddf2ac25906b9fc62c77a63a1ce6be0f Mon Sep 17 00:00:00 2001
From: Hamish Friedlander <hamish@silverstripe.com>
Date: Fri, 19 Jul 2013 14:33:56 +1200
Subject: [PATCH 1/2] FIX: Have ParameterConfirmationToken work regardless of
 include path

---
 core/startup/ParameterConfirmationToken.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/startup/ParameterConfirmationToken.php b/core/startup/ParameterConfirmationToken.php
index cc47bc2bb..acebc921c 100644
--- a/core/startup/ParameterConfirmationToken.php
+++ b/core/startup/ParameterConfirmationToken.php
@@ -23,7 +23,7 @@ class ParameterConfirmationToken {
 			$basepath = rtrim(dirname(dirname(dirname(dirname(__FILE__)))), DIRECTORY_SEPARATOR);
 		}
 
-		require_once('core/TempPath.php');
+		require_once(dirname(dirname(__FILE__)).'/TempPath.php');
 		$tempfolder = getTempFolder($basepath ? $basepath : DIRECTORY_SEPARATOR);
 
 		return $tempfolder.'/token_'.preg_replace('/[^a-z0-9]+/', '', $token);
@@ -31,7 +31,7 @@ class ParameterConfirmationToken {
 
 	protected function genToken() {
 		// Generate a new random token (as random as possible)
-		require_once('security/RandomGenerator.php');
+		require_once(dirname(dirname(dirname(__FILE__))).'/security/RandomGenerator.php');
 		$rg = new RandomGenerator();
 		$token = $rg->randomToken('md5');
 

From a312cd08e12daa55015f75d8642a621b2b460723 Mon Sep 17 00:00:00 2001
From: Hamish Friedlander <hamish@silverstripe.com>
Date: Fri, 19 Jul 2013 14:47:05 +1200
Subject: [PATCH 2/2] FIX: Ignore invalid tokens instead of throwing 403

---
 core/startup/ParameterConfirmationToken.php | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/core/startup/ParameterConfirmationToken.php b/core/startup/ParameterConfirmationToken.php
index acebc921c..e0ccf9d87 100644
--- a/core/startup/ParameterConfirmationToken.php
+++ b/core/startup/ParameterConfirmationToken.php
@@ -61,11 +61,8 @@ class ParameterConfirmationToken {
 		// Store the token
 		$this->token = isset($_GET[$parameterName.'token']) ? $_GET[$parameterName.'token'] : null;
 
-		// If a token was provided, but isn't valid, just throw a 403
-		if ($this->token && (!$this->checkToken($this->token))) {
-			header("HTTP/1.0 403 Forbidden", true, 403);
-			die;
-		}
+		// If a token was provided, but isn't valid, ignore it
+		if ($this->token && (!$this->checkToken($this->token))) $this->token = null;
 	}
 
 	public function parameterProvided() {