diff options
author | David Lawrence <dkl@mozilla.com> | 2011-01-24 17:58:48 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 17:58:48 +0100 |
commit | 40ebd15bdc471b9ac51fce600ac4cb55ef47ca5a (patch) | |
tree | c691020f71a7568f202202aa8f9421631db12566 | |
parent | An optional module was accidentally listed in the "required" section of the (diff) | |
download | bugzilla-40ebd15bdc471b9ac51fce600ac4cb55ef47ca5a.tar.gz bugzilla-40ebd15bdc471b9ac51fce600ac4cb55ef47ca5a.tar.bz2 bugzilla-40ebd15bdc471b9ac51fce600ac4cb55ef47ca5a.zip |
Bug 621090: [SECURITY] Adding saved searches lacks CSRF protection
r=mkanat a=justdave
-rwxr-xr-x | buglist.cgi | 2 | ||||
-rw-r--r-- | template/en/default/global/per-bug-queries.html.tmpl | 1 | ||||
-rw-r--r-- | template/en/default/list/list.html.tmpl | 1 |
3 files changed, 4 insertions, 0 deletions
diff --git a/buglist.cgi b/buglist.cgi index 1b00148f0..788f28c95 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -504,6 +504,8 @@ elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) { my $query_name = $cgi->param('newqueryname'); my $new_query = $cgi->param('newquery'); my $query_type = QUERY_LIST; + my $token = $cgi->param('token'); + check_hash_token($token, ['savedsearch']); # If list_of_bugs is true, we are adding/removing individual bugs # to a saved search. We get the existing list of bug IDs (if any) # and add/remove the passed ones. diff --git a/template/en/default/global/per-bug-queries.html.tmpl b/template/en/default/global/per-bug-queries.html.tmpl index 3c62e35f5..a7c073ba1 100644 --- a/template/en/default/global/per-bug-queries.html.tmpl +++ b/template/en/default/global/per-bug-queries.html.tmpl @@ -63,6 +63,7 @@ <input type="hidden" name="cmdtype" value="doit"> <input type="hidden" name="remtype" value="asnamed"> <input type="hidden" name="list_of_bugs" value="1"> + <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]"> <select id="lob_action" name="action" onchange="update_text();"> <option value="add">Add</option> [% IF lists_of_bugs.size %] diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index aebfb1d49..8d87b5c70 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -253,6 +253,7 @@ value="[% urlquerypart FILTER html %][% "&order=$qorder" FILTER html IF order %]"> <input type="hidden" name="cmdtype" value="doit"> <input type="hidden" name="remtype" value="asnamed"> + <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]"> <input type="text" id="save_newqueryname" name="newqueryname" size="20" value="[% defaultsavename FILTER html %]"> </form> |