aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-01-24 18:28:07 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-01-24 18:28:07 +0100
commitb43bddbb34db261e48f011cfb408707798b66212 (patch)
tree70141c492fbb1806a53c42fcc0a527078b4bb74d
parentBug 621108: [SECURITY] Creating/editing charts lacks CSRF protection (diff)
downloadbugzilla-b43bddbb34db261e48f011cfb408707798b66212.tar.gz
bugzilla-b43bddbb34db261e48f011cfb408707798b66212.tar.bz2
bugzilla-b43bddbb34db261e48f011cfb408707798b66212.zip
Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection
r=dkl a=LpSolit
-rwxr-xr-xquips.cgi7
-rw-r--r--template/en/default/list/quips.html.tmpl7
2 files changed, 12 insertions, 2 deletions
diff --git a/quips.cgi b/quips.cgi
index 33b4e23ce..97993d488 100755
--- a/quips.cgi
+++ b/quips.cgi
@@ -32,6 +32,7 @@ use Bugzilla::Constants;
use Bugzilla::Util;
use Bugzilla::Error;
use Bugzilla::User;
+use Bugzilla::Token;
my $user = Bugzilla->login(LOGIN_REQUIRED);
@@ -41,6 +42,7 @@ my $template = Bugzilla->template;
my $vars = {};
my $action = $cgi->param('action') || "";
+my $token = $cgi->param('token');
if ($action eq "show") {
# Read in the entire quip list
@@ -74,6 +76,7 @@ if ($action eq "add") {
(Bugzilla->params->{'quip_list_entry_control'} eq "closed") &&
ThrowUserError("no_new_quips");
+ check_hash_token($token, ['create-quips']);
# Add the quip
my $approved = (Bugzilla->params->{'quip_list_entry_control'} eq "open")
|| Bugzilla->user->in_group('admin') || 0;
@@ -92,7 +95,8 @@ if ($action eq 'approve') {
|| ThrowUserError("auth_failure", {group => "admin",
action => "approve",
object => "quips"});
-
+
+ check_hash_token($token, ['approve-quips']);
# Read in the entire quip list
my $quipsref = $dbh->selectall_arrayref("SELECT quipid, approved FROM quips");
@@ -134,6 +138,7 @@ if ($action eq "delete") {
my $quipid = $cgi->param("quipid");
ThrowCodeError("need_quipid") unless $quipid =~ /(\d+)/;
$quipid = $1;
+ check_hash_token($token, ['quips', $quipid]);
($vars->{'deleted_quip'}) = $dbh->selectrow_array(
"SELECT quip FROM quips WHERE quipid = ?",
diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl
index 1404b2e35..b330596c7 100644
--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -73,6 +73,8 @@
<form method="post" action="quips.cgi">
<input type="hidden" name="action" value="add">
+ <input type="hidden" name="token"
+ value="[% issue_hash_token(['create-quips']) FILTER html %]">
<input size="80" name="quip">
<p>
<input type="submit" id="add" value="Add This Quip">
@@ -103,6 +105,8 @@
</p>
<form name="editform" method="post" action="quips.cgi">
<input type="hidden" name="action" value="approve">
+ <input type="hidden" name="token"
+ value="[% issue_hash_token(['approve-quips']) FILTER html %]">
<table border="1">
<thead><tr>
<th>Quip</th>
@@ -119,7 +123,8 @@
[% "Unknown" IF NOT users.$userid %]
</td>
<td>
- <a href="quips.cgi?action=delete&amp;quipid=[% quipid FILTER url_quote %]">
+ <a href="quips.cgi?action=delete&amp;quipid=[% quipid FILTER url_quote %]&amp;token=
+ [%- issue_hash_token(['quips', quipid]) FILTER url_quote %]">
Delete
</a>
</td>