diff options
author | Dylan Hardison <dylan@mozilla.com> | 2016-03-01 14:14:26 +0100 |
---|---|---|
committer | Dylan Hardison <dylan@mozilla.com> | 2016-03-01 14:22:04 +0100 |
commit | 085c24c80c6a79f21aba768bf16955685dcc47b7 (patch) | |
tree | 5c23f767a81b5fcd64adb89d4f74d5e320a053ef | |
parent | e5b9aa6ef469adb5db2ff4b7575342bd79fd450a (diff) | |
download | bugzilla-085c24c80c6a79f21aba768bf16955685dcc47b7.tar.gz bugzilla-085c24c80c6a79f21aba768bf16955685dcc47b7.tar.xz |
Bug 1252210 - AntiSpam configuration is vulnerable to CSRF and persistent XSS
-rw-r--r-- | extensions/EditTable/Extension.pm | 5 | ||||
-rw-r--r-- | extensions/EditTable/template/en/default/pages/edit_table.html.tmpl | 4 |
2 files changed, 8 insertions, 1 deletions
diff --git a/extensions/EditTable/Extension.pm b/extensions/EditTable/Extension.pm index a10a30e57..675b3fe90 100644 --- a/extensions/EditTable/Extension.pm +++ b/extensions/EditTable/Extension.pm @@ -23,6 +23,7 @@ use base qw(Bugzilla::Extension); use Bugzilla::Error; use Bugzilla::Hook; +use Bugzilla::Token; use Bugzilla::Util qw(trick_taint); use JSON; use Storable qw(dclone); @@ -86,6 +87,9 @@ sub page_before_template { my $data = $input->{table_data}; my $edits = []; if ($data) { + check_hash_token($input->{token}, [$table_name]); + delete_token($input->{token}); + $data = from_json($data)->{data}; $edits = dclone($data); eval { @@ -170,6 +174,7 @@ sub page_before_template { $vars->{table_name} = $table_name; $vars->{blurb} = $table->{blurb}; + $vars->{token} = issue_hash_token([$table_name]); $vars->{table_data} = to_json({ fields => \@fields, id_field => $id_field, diff --git a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl index d81291640..98a8f4184 100644 --- a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl +++ b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl @@ -30,12 +30,14 @@ onsubmit="editTable.to_json('table_data')"> <input type="hidden" name="id" value="edit_table.html"> <input type="hidden" name="table" value="[% table_name FILTER html %]"> +<input type="hidden" name="token" value="[% token FILTER html %]"> <input type="hidden" name="table_data" id="table_data"> <input type="submit" value="Commit Changes" id="commit_btn" class="bz_default_hidden"> </form> <script> - var table_data = [% table_data FILTER none %]; + var table_data_str = "[% table_data FILTER js %]"; + var table_data = $.parseJSON(table_data_str); var editTable = new EditTable('edit_table', table_data); editTable.render(); </script> |