summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDylan Hardison <dylan@mozilla.com>2016-03-01 14:14:26 +0100
committerDylan Hardison <dylan@mozilla.com>2016-03-01 14:22:04 +0100
commit085c24c80c6a79f21aba768bf16955685dcc47b7 (patch)
tree5c23f767a81b5fcd64adb89d4f74d5e320a053ef
parente5b9aa6ef469adb5db2ff4b7575342bd79fd450a (diff)
downloadbugzilla-085c24c80c6a79f21aba768bf16955685dcc47b7.tar.gz
bugzilla-085c24c80c6a79f21aba768bf16955685dcc47b7.tar.xz
Bug 1252210 - AntiSpam configuration is vulnerable to CSRF and persistent XSS
-rw-r--r--extensions/EditTable/Extension.pm5
-rw-r--r--extensions/EditTable/template/en/default/pages/edit_table.html.tmpl4
2 files changed, 8 insertions, 1 deletions
diff --git a/extensions/EditTable/Extension.pm b/extensions/EditTable/Extension.pm
index a10a30e57..675b3fe90 100644
--- a/extensions/EditTable/Extension.pm
+++ b/extensions/EditTable/Extension.pm
@@ -23,6 +23,7 @@ use base qw(Bugzilla::Extension);
use Bugzilla::Error;
use Bugzilla::Hook;
+use Bugzilla::Token;
use Bugzilla::Util qw(trick_taint);
use JSON;
use Storable qw(dclone);
@@ -86,6 +87,9 @@ sub page_before_template {
my $data = $input->{table_data};
my $edits = [];
if ($data) {
+ check_hash_token($input->{token}, [$table_name]);
+ delete_token($input->{token});
+
$data = from_json($data)->{data};
$edits = dclone($data);
eval {
@@ -170,6 +174,7 @@ sub page_before_template {
$vars->{table_name} = $table_name;
$vars->{blurb} = $table->{blurb};
+ $vars->{token} = issue_hash_token([$table_name]);
$vars->{table_data} = to_json({
fields => \@fields,
id_field => $id_field,
diff --git a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
index d81291640..98a8f4184 100644
--- a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
+++ b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
@@ -30,12 +30,14 @@
onsubmit="editTable.to_json('table_data')">
<input type="hidden" name="id" value="edit_table.html">
<input type="hidden" name="table" value="[% table_name FILTER html %]">
+<input type="hidden" name="token" value="[% token FILTER html %]">
<input type="hidden" name="table_data" id="table_data">
<input type="submit" value="Commit Changes" id="commit_btn" class="bz_default_hidden">
</form>
<script>
- var table_data = [% table_data FILTER none %];
+ var table_data_str = "[% table_data FILTER js %]";
+ var table_data = $.parseJSON(table_data_str);
var editTable = new EditTable('edit_table', table_data);
editTable.render();
</script>