Microsoft Security Advisory 3137909

samples/IdentitySample.Mvc/Controllers/ManageController.cs

@@ -176,7 +176,8 @@ namespace IdentitySamples.Controllers
 
         //
         // GET: /Manage/RemovePhoneNumber
-        [HttpGet]
+        [HttpPost]
+        [ValidateAntiForgeryToken]
         public async Task<IActionResult> RemovePhoneNumber()
         {
             var user = await GetCurrentUserAsync();

samples/IdentitySample.Mvc/Views/Manage/Index.cshtml

@@ -5,30 +5,26 @@
 
 <h2>@ViewData["Title"].</h2>
 <p class="text-success">@ViewData["StatusMessage"]</p>
+
 <div>
     <h4>Change your account settings</h4>
     <hr />
     <dl class="dl-horizontal">
         <dt>Password:</dt>
         <dd>
-            [
             @if (Model.HasPassword)
             {
-                <a asp-controller="Manage" asp-action="ChangePassword">Change</a>
+                <text>[&nbsp;&nbsp;<a asp-controller="Manage" asp-action="ChangePassword">Change</a>&nbsp;&nbsp;]</text>
             }
             else
             {
-                <a asp-controller="Manage" asp-action="SetPassword">Create</a>
+                <text>[&nbsp;&nbsp;<a asp-controller="Manage" asp-action="SetPassword">Create</a>&nbsp;&nbsp;]</text>
             }
-            ]
         </dd>
         <dt>External Logins:</dt>
         <dd>
-
-            @Model.Logins.Count [ <a asp-controller="Manage" asp-action="ManageLogins">Manage</a> ]
+            @Model.Logins.Count [&nbsp;&nbsp;<a asp-controller="Manage" asp-action="ManageLogins">Manage</a>&nbsp;&nbsp;]
         </dd>
-
-
         <dt>Phone Number:</dt>
         <dd>
             <p>
@@ -36,18 +32,19 @@
                 See <a href="http://go.microsoft.com/fwlink/?LinkID=532713">this article</a>
                 for details on setting up this ASP.NET application to support two-factor authentication using SMS.
             </p>
-            @*@(Model.PhoneNumber ?? "None") [
+            @*@(Model.PhoneNumber ?? "None")
                 @if (Model.PhoneNumber != null)
                 {
-                    <a asp-controller="Manage" asp-action="AddPhoneNumber">Change</a>
-                        @: &nbsp;|&nbsp;
-                        <a asp-controller="Manage" asp-action="RemovePhoneNumber">Remove</a>
+                    <br />
+                    <text>[&nbsp;&nbsp;<a asp-controller="Manage" asp-action="AddPhoneNumber">Change</a>&nbsp;&nbsp;]</text>
+                    <form asp-controller="Manage" asp-action="RemovePhoneNumber" method="post" role="form">
+                        [<button type="submit" class="btn-link">Remove</button>]
+                    </form>
                 }
                 else
                 {
-                    <a asp-controller="Manage" asp-action="AddPhoneNumber">Add</a>
-                }
-                ]*@
+                    <text>[&nbsp;&nbsp;<a asp-controller="Manage" asp-action="AddPhoneNumber">Add</a>&nbsp;&nbsp;]</text>
+                }*@
         </dd>
 
         <dt>Two-Factor Authentication:</dt>
@@ -59,21 +56,15 @@
             @*@if (Model.TwoFactor)
                 {
                     <form asp-controller="Manage" asp-action="DisableTwoFactorAuthentication" method="post" class="form-horizontal" role="form">
-                        <text>
-                            Enabled
-                            <button type="submit" class="btn btn-link">Disable</button>
-                        </text>
+                        Enabled [<button type="submit" class="btn-link">Disable</button>]
                     </form>
                 }
                 else
                 {
                     <form asp-controller="Manage" asp-action="EnableTwoFactorAuthentication" method="post" class="form-horizontal" role="form">
-                        <text>
-                            Disabled
-                            <button type="submit" class="btn btn-link">Enable</button>
-                        </text>
+                        [<button type="submit" class="btn-link">Enable</button>] Disabled
                     </form>
                 }*@
         </dd>
     </dl>
-</div>
+</div>

samples/Interop45/Controllers/ManageController.cs

@@ -196,6 +196,8 @@ namespace Interop45.Controllers
 
         //
         // GET: /Manage/RemovePhoneNumber
+        [HttpPost]
+        [ValidateAntiForgeryToken]
         public async Task<ActionResult> RemovePhoneNumber()
         {
             var result = await UserManager.SetPhoneNumberAsync(User.Identity.GetUserId(), null);

samples/Interop45/Views/Manage/Index.cshtml

@@ -39,18 +39,17 @@
         @*  
             <dt>Phone Number:</dt>
             <dd>
-                @(Model.PhoneNumber ?? "None") [
-                @if (Model.PhoneNumber != null)
-                {
-                    @Html.ActionLink("Change", "AddPhoneNumber")
-                    @: &nbsp;|&nbsp;
-                    @Html.ActionLink("Remove", "RemovePhoneNumber")
-                }
-                else
-                {
-                    @Html.ActionLink("Add", "AddPhoneNumber")
-                }
-                ]
+                 @(If(Model.PhoneNumber, "None"))
+                 @If (Model.PhoneNumber <> Nothing) Then
+                     @<br />
+                     @<text>[&nbsp;&nbsp;@Html.ActionLink("Change", "AddPhoneNumber")&nbsp;&nbsp;]</text>
+                     @Using Html.BeginForm("RemovePhoneNumber", "Manage", FormMethod.Post, New With {.class = "form-horizontal", .role = "form"})
+                         @Html.AntiForgeryToken
+                          @<text>[<input type="submit" value="Remove" class="btn-link" />]</text>
+                      End Using
+                  Else
+                      @<text>[&nbsp;&nbsp;@Html.ActionLink("Add", "AddPhoneNumber") &nbsp;&nbsp;]</text>
+                 End If
             </dd>
         *@
         <dt>Two-Factor Authentication:</dt>